Challengermode
Home
Dashboard
Game Integration API
Client API
Auth API
Embeds

Auth API

Server Authentication

Server Authentication enables your application to perform actions for your application. Known as bot access, this method uses a Bot to represent your application. It's ideal for high-privilege tasks, system-level operations, or accessing cacheable public data. Examples include:
Fetching Public Tournament Data
Use bot access to query non-personal tournament data from Challengermode's client API.
Seeding Tournaments
Link your Bot to a space to manage and seed tournaments programmatically.
Posting Game Results
Integrate your game with Challengermode by using a Bot to submit game session results.

Concepts

Bots

A Bot represents your application on Challengermode, performing actions on its behalf. By default, Bots can access public data. When granted bot access to spaces, they appear as Bots within those spaces and can interact with space-specific resources.Key functions of a Bot:
Authentication
Authenticated requests via bot access verify your application's identity.
Authorization
You can grant your Bot access to specific resources on the platform, such as linking your Bot to a Space.This allows the bot to manage resources, post updates, or perform other permitted actions within that Space.

Bot authentication

Server authentication uses
BOT
tokens. When an API requires this method, requests are authenticated via a Bot representing your application, ensuring secure bot access.To obtain a
BOT
token, you exchange a long-lived Refresh Key that you can create in the Application Dashboard. The access token is short-lived, with a default life time is 20 minutes. See Retrieve a Bot Access Key for authentication details.

Bot access to a Space

In the Challengermode application dashboard, you can link your Bot to a Space that you are yourself an admin of. This will add the Bot to the Space as a co-admin and allow it to perform actions on behalf of the Space. The Bot will be able to manage resources, post updates, or perform other permitted actions within that Space.

Components

Retrieve Bot Access Key

To obtain a
BOT
, exchange your refresh key using the
post
/v1/auth/access_keys API.
1

Generate Refresh Key

In your Application Dashboard, navigate to the credentials tab to create a long-lived refresh key. Store it securely, as it's shown only once.
Generate
Create the refresh key out-of-band and store it safely in your environment.
Редактирование
Assign a name to the refresh key for easier identification.
Revoke
Revoke the key if it's compromised or needs rotation. This prevents unauthorized API access.
Example refresh key:
"NzU0MjkxYzE1ODQ5NDk5YzM0ZjYwOGQ4YTczYjg4OTNZcVBZQ09vYmx4aGJEekxxSFpFUmN0TERaUVB2Tk5sTA=="
2

Retrieve Bot Access Token

Use your refresh key with the
post
/v1/auth/access_keys endpoint to obtain a short-lived
BOT
. This token grants access to specific API resources.Example Bot access token:
{
    value: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJDaGFsbGVuZ2VybW9kZSIsImlhdCI6MTYwOTc2NjEwNSwiZXhwIjoxNjA5NzczMzA1LCJhdWQiOiJ3d3cuY2hhbGxlbmdlcm1vZGUuY29tIiwic3ViIjoiYXBwIiwiQXBwaWQiOiIxNjI3N2JjZi1lNTA3LTQxNDctODA0Ni1hMDhiYjA2NTk4M2EifQ.curC74a7rSZMfu1dmsYHNsz60mgtsnlQR6vZeLK5Ff4",
    expiresAt: "2021-10-26T07:48:14.2830852Z"
}
3

Call APIs

Use the access token with Bearer authentication to call authorized endpoints:
curl -H "Authorization: Bearer <access key token>" undefined/v1/tournaments/8e1ae7b7-683a-44c7-290e-08d89c6e5cd2

Bot user info

Since your application is represented by a Bot on Challengermode, you can call
post
/v1/me/userinfo or the GraphQL query
post
Me in the Challengermode Client API to test your authentication. The returned subject/user ID corresponds to the public-facing ID of your Bot user.