LaunchQA Middleware

Party A API Integration Guide

Technical guide for redirecting authenticated Party A members into the gaming lobby using a short-lived tmp_code and the GMI01 getLoginID exchange.

Overview

This integration lets a logged-in Party A member enter the game lobby without a lobby username or password.

Party A sends the member's browser to the lobby with a short-lived tmp_code. The middleware verifies that code by calling Party A's getLoginID API from the server side.

Returning user: lobby opens immediately. First-time user: lobby shows one WSD registration captcha. The user only types the captcha; the middleware creates and stores WSD game account credentials internally.

Values To Exchange

ItemDirectionValue
Lobby base URLWe provide to Party Ahttps://launchqa.click/
Partner slugWe provide to Party A<PARTNER_SLUG>
Server-to-server tokenWe provide to Party A, or agree during onboarding<X_AUTH_TOKEN>
Party A API base URLParty A provides to us<PARTY_A_API_BASE_URL>
Party A test member idsParty A provides to usThrowaway/internal members only
IP allowlist, if neededParty A provides/acceptsOur middleware egress IPs

Do not send real user traffic until both sides complete the canary checklist.

Browser Redirect

After the user is authenticated on Party A, Party A creates a single-use tmp_code and redirects the browser to the production lobby:

https://launchqa.click/?partner=<PARTNER_SLUG>&tmp_code=<URL_ENCODED_TMP_CODE>

Example

HTTP/1.1 302 Found
Location: https://launchqa.click/?partner=party-a-prod&tmp_code=SX5D8KRLUQv7aecGUxbxGn
NameRequiredRulesDescription
partneryesLowercase letters, digits, hyphens; 2-64 charsThe partner slug assigned during onboarding.
tmp_codeyes6-128 chars; URL-encodedOne-time code minted by Party A for this member entry.

Party A Server API

The middleware verifies tmp_code by calling Party A server-to-server.

POST <PARTY_A_API_BASE_URL>/v1/auth/getLoginID
Content-Type: application/json
X-Auth-Token: <X_AUTH_TOKEN>

{
  "tmp_code": "SX5D8KRLUQv7aecGUxbxGn"
}

Current middleware timeout: 10 seconds.

Success Response

{
  "message": "Success",
  "result_code": 200,
  "user_id": "900000001"
}

Failure Responses

CaseSuggested responseMiddleware behavior
Invalid or unknown tmp_code{"message":"Invalid tmp_code","result_code":400}Entry is rejected; user must return to Party A for a fresh entry.
Expired tmp_code{"message":"tmp_code expired","result_code":400}Entry is rejected as expired; user must return to Party A.
Replayed tmp_codeSame as invalid after first successful exchangeEntry is rejected. The middleware also has its own replay guard.
Party A temporary outageHTTP 5xx, timeout, or malformed responseMiddleware shows temporary unavailable/retry state.
Wrong tokenHTTP 401 or equivalentTreat as integration configuration issue; do not create a user.

For expired codes, include the word expired or expire in message until both sides agree on a dedicated result code.

User Flow

Returning User

  1. Party A redirects with a fresh tmp_code.
  2. Middleware calls getLoginID.
  3. Middleware finds an existing mapping for (partner, user_id).
  4. Lobby opens immediately.

No captcha, username, or password is shown.

First-Time User

  1. Party A redirects with a fresh tmp_code.
  2. Middleware calls getLoginID.
  3. Middleware finds no existing mapping.
  4. Lobby shows a welcome screen.
  5. User clicks Enjoy now.
  6. Lobby fetches a fresh WSD captcha.
  7. User types only the captcha.
  8. Middleware creates the WSD account and opens the lobby.

Middleware API Reference

These endpoints are normally called by our lobby frontend after the browser redirect. Party A generally only needs the redirect contract and getLoginID API above.

POST /api/entry/party-a

{
  "partner": "party-a-prod",
  "tmpCode": "SX5D8KRLUQv7aecGUxbxGn"
}

Returning-user response

{
  "status": "authenticated",
  "session": {
    "authenticated": true,
    "userId": "usr_xxx",
    "username": "pa***********",
    "accountState": "active",
    "wsdAccountMasked": "wsd***001"
  },
  "mapping": "existing"
}

First-time-user response

{
  "status": "captcha_required",
  "ticket": "ticket_xxx",
  "captcha": {
    "captchaId": "captcha_xxx",
    "imageDataUrl": "data:image/png;base64,...",
    "expiresAt": "2026-07-07T00:00:00.000Z"
  }
}

POST /api/entry/party-a/register

Called by our lobby after the user enters the WSD captcha.

{
  "ticket": "ticket_xxx",
  "captchaCode": "1234"
}

POST /api/entry/party-a/register/refresh

Called by our lobby when the user requests a fresh captcha.

{
  "ticket": "ticket_xxx"
}

Error Shape

{
  "code": "PARTY_A_CODE_EXPIRED",
  "message": "The entry code expired. Please return to Party A and try again.",
  "retryable": false,
  "requestId": "req_xxx"
}
CodeMeaningRecommended user action
PARTY_A_PARTNER_UNKNOWNPartner slug is wrong or disabled.Check integration configuration.
PARTY_A_CODE_INVALIDtmp_code is unknown or malformed.Return to Party A and mint a new code.
PARTY_A_CODE_EXPIREDtmp_code expired.Return to Party A and mint a new code.
PARTY_A_CODE_REPLAYEDSame tmp_code was already processed.Return to Party A and mint a new code.
PARTY_A_UNAVAILABLEParty A API could not be reached or returned bad response.Retry after Party A/API recovery.
PARTY_A_RATE_LIMITEDToo many attempts from this source.Slow down and retry later.
PARTY_A_REGISTRATION_CAPTCHA_INVALIDUser typed wrong WSD captcha.User can retry the captcha.
PARTY_A_REGISTRATION_CAPTCHA_EXPIREDWSD captcha expired.Refresh captcha and retry.
PARTY_A_REGISTRATION_FAILEDWSD registration temporarily failed.Retry later or escalate with requestId.

Security Notes

Canary Test Plan

Use throwaway/internal Party A members only until both sides approve go-live.
  1. Party A creates one test member and redirects to the lobby with a fresh tmp_code.
  2. First entry shows welcome screen, then one WSD captcha after Enjoy now.
  3. User enters captcha manually.
  4. Lobby opens.
  5. Same Party A member enters again with a new tmp_code.
  6. Lobby opens directly, with no captcha.
  7. Expired tmp_code returns expired state.
  8. Replayed tmp_code returns replay/invalid state.
  9. Disabled partner slug is rejected.
  10. Both sides confirm no duplicate WSD account or duplicate mapping was created.

Production Go-Live Checklist