Creating a JWT authentication token for use with the open API

open api request format the zepeto open api is called via http if a body is present in the request, parameters must be sent in json format examples of valid content types are shown below, and there may be slight differences depending on the respective programming language library content type application/json; charset=utf 8 get access key, secret key from zepeto studio before creating a jwt authentication token, you need to get an access key and secret key from the zepeto studio console 📘 please refer to the following guide managing open api docid\ wlbkg6ocli2huaffg3bvf creating a jwt authentication token zepeto open api generates a jwt( https //jwt io https //jwt io ) format token based on the access key and secret key issued for each request and sends it in the authorization header hs256 is recommended as the signature method, and the secret to be used for signing is the issued secret key the jwt token payload has the following format jwt token payload { "access key" "issued access key (required)", "nonce" "randomized uuid value (required)", "uri hash" "a hashed value of the uri, including the query params, excluding the base path (required)", "body hash" "hashed value of the request body" } uri hash is the hashed value of the uri including the query param except for the base path body hash is the value converted to a json string and hashed to be inserted into the payload only when the request body exists; it is omitted if there is no request body in such a case, there should be no spaces between json string's key and value uri hash and body hash must be hashed to the same value as the query param and request body sent to the request (the order of the values must be identical as well ) limit on number of api calls up to 300 calls are available in 1 minute example when there is no request body please enter the access key, secret key, worldld, uri, and query param according to the api you wish to use the example code below has been written based on the get player data api of the datastorage category java string accesskey = "accesskey"; string secretkey = "secretkey"; string worldid = "com test world"; string uri = "/datastorage/v1/worlds/" + worldid + "/player data"; messagedigest urihash = messagedigest getinstance("sha 256"); urihash update(uri getbytes(standardcharsets utf 8)); byte\[] urihashbytes = urihash digest(); objectmapper objectmapper = new objectmapper(); map\<string, object> payload = new hashmap<>(); payload put("access key", accesskey); payload put("nonce", uuid randomuuid() tostring()); payload put("uri hash", new string(base64 encodebase64(urihashbytes), standardcharsets utf 8)); string jwttoken = jwts builder() setpayload(objectmapper writevalueasstring(payload)) signwith(signaturealgorithm hs256, secretkey getbytes(standardcharsets utf 8)) compact(); string authorization = "bearer " + jwttoken; python import jwt import uuid import hashlib import base64 accesskey = 'accesskey' secretkey = 'secretkey' worldid = 'com test world' uri = '/datastorage/v1/worlds/' + worldid + '/player data?playerid=testplayerid\&keys=test' hash = hashlib sha256() hash update(uri encode()) payload = { 'access key' accesskey, 'nonce' str(uuid uuid4()), 'uri hash' base64 b64encode(hash digest()) decode('utf8') } jwt token = jwt encode(payload, secretkey) authorization = 'bearer {}' format(jwt token) nodejs import as jwt from 'jsonwebtoken'; import as uuid from 'uuid'; import as crypto from 'crypto js'; import { buffer } from 'safe buffer'; const accesskey = 'accesskey'; const secretkey = 'secretkey'; const worldid = 'com test world'; const uri = '/datastorage/v1/worlds/' + worldid + '/player data?playerid=testplayerid\&keys=test'; const hash = crypto sha256(uri); const payload = { access key accesskey, nonce uuid v4(), uri hash buffer from(hash tostring(), 'hex') tostring('base64') }; const jwttoken = jwt sign(payload, secretkey); const authorization = `bearer ${jwttoken}`; example when there is request body please enter the access key, secret key, worldld, uri, and body param according to the api you wish to use the example code below has been written based on the set player data api of the datastorage category java string accesskey = "accesskey"; string secretkey = "secretkey"; string worldid = "com test world"; string uri = "/datastorage/v1/worlds/" + worldid + "/player data"; messagedigest urihash = messagedigest getinstance("sha 256"); urihash update(uri getbytes(standardcharsets utf 8)); byte\[] urihashbytes = urihash digest(); objectmapper objectmapper = new objectmapper(); playerdata datamap = new playerdata("test", "test value"); list\<playerdata> datalist = new arraylist<>(); datalist add(datamap); playerdatasetparam param = new playerdatasetparam(datalist, "testplayerid"); messagedigest paramhash = messagedigest getinstance("sha 256"); paramhash update(objectmapper writevalueasstring(param) getbytes(standardcharsets utf 8)); byte\[] paramhashbytes = paramhash digest(); map\<string, object> payload = new hashmap<>(); payload put("access key", accesskey); payload put("nonce", uuid randomuuid() tostring()); payload put("uri hash", new string(base64 encodebase64(urihashbytes), standardcharsets utf 8)); payload put("body hash", new string(base64 encodebase64(paramhashbytes), standardcharsets utf 8)); string jwttoken = jwts builder() setpayload(objectmapper writevalueasstring(payload)) signwith(signaturealgorithm hs256, secretkey getbytes(standardcharsets utf 8)) compact(); string authorization = "bearer " + jwttoken; python import jwt import uuid import hashlib import base64 import simplejson as json accesskey = 'accesskey' secretkey = 'secretkey' worldid = 'com test world' uri = '/datastorage/v1/worlds/' + worldid + '/player data' hash = hashlib sha256() hash update(uri encode()) param = { 'playerid' 'testplayerid', 'data' \[ { 'key' 'test', 'value' 'test value' } ] } param hash = hashlib sha256() param hash update(json dumps(param, ensure ascii=false, encoding='surrogatepass') encode()) payload = { 'access key' accesskey, 'nonce' str(uuid uuid4()), 'uri hash' base64 b64encode(hash digest()) decode('utf8'), 'body hash' base64 b64encode(param hash digest()) decode('utf8') } jwt token = jwt encode(payload, secretkey) authorization = 'bearer {}' format(jwt token) nodejs import as jwt from 'jsonwebtoken'; import as uuid from 'uuid'; import as crypto from 'crypto js'; import { buffer } from 'safe buffer'; const accesskey = 'accesskey'; const secretkey = 'secretkey'; const worldid = 'com test world'; const uri = '/datastorage/v1/worlds/' + worldid + '/player data'; const hash = crypto sha256(uri); const param = { playerid 'testplayerid', data \[ { value 'test value', key 'test' } ] }; const paramhash = crypto sha256(json stringify(param,null,0)); const payload = { access key accesskey, nonce uuid v4(), uri hash buffer from(hash tostring(), 'hex') tostring('base64'), body hash buffer from(paramhash tostring(), 'hex') tostring('base64') }; const jwttoken = jwt sign(payload, secretkey); const authorization = `bearer ${jwttoken}`; ❗️ caution openapi is a feature provided for use in a separate web or app currently, zepeto server scripts cannot make zepeto open api calls if you want to make open api calls in zepeto multiplayer, we suggest the following methods set up a separate server to perform the necessary business logic by communicating with the open api use the httpservice package in zepeto server to communicate directly with the server you've set up implement a relatively simple authentication method between servers, such as using http authorize headers, to enable calls within the supported features by zepeto server