Overview
This integration lets a logged-in Party A member enter the game lobby without a lobby username or password.
Party A sends the member's browser to the lobby with a short-lived tmp_code. The middleware verifies that code by calling Party A's getLoginID API from the server side.
Values To Exchange
| Item | Direction | Value |
|---|---|---|
| Lobby base URL | We provide to Party A | https://launchqa.click/ |
| Partner slug | We provide to Party A | <PARTNER_SLUG> |
| Server-to-server token | We provide to Party A, or agree during onboarding | <X_AUTH_TOKEN> |
| Party A API base URL | Party A provides to us | <PARTY_A_API_BASE_URL> |
| Party A test member ids | Party A provides to us | Throwaway/internal members only |
| IP allowlist, if needed | Party A provides/accepts | Our middleware egress IPs |
Do not send real user traffic until both sides complete the canary checklist.
Browser Redirect
After the user is authenticated on Party A, Party A creates a single-use tmp_code and redirects the browser to the production lobby:
https://launchqa.click/?partner=<PARTNER_SLUG>&tmp_code=<URL_ENCODED_TMP_CODE>
Example
HTTP/1.1 302 Found
Location: https://launchqa.click/?partner=party-a-prod&tmp_code=SX5D8KRLUQv7aecGUxbxGn
| Name | Required | Rules | Description |
|---|---|---|---|
partner | yes | Lowercase letters, digits, hyphens; 2-64 chars | The partner slug assigned during onboarding. |
tmp_code | yes | 6-128 chars; URL-encoded | One-time code minted by Party A for this member entry. |
tmp_codemust be random/unpredictable.tmp_codemust be single-use.- Recommended TTL is 5 minutes or less.
- It must identify exactly one currently authenticated Party A member.
- It must not contain PII or reusable credentials.
- It must be rejected by Party A after successful exchange.
Party A Server API
The middleware verifies tmp_code by calling Party A server-to-server.
POST <PARTY_A_API_BASE_URL>/v1/auth/getLoginID
Content-Type: application/json
X-Auth-Token: <X_AUTH_TOKEN>
{
"tmp_code": "SX5D8KRLUQv7aecGUxbxGn"
}
Current middleware timeout: 10 seconds.
Success Response
{
"message": "Success",
"result_code": 200,
"user_id": "900000001"
}
user_idmay be a string or number.user_idmust be stable for the same Party A member.user_idmust never be recycled to a different member.user_idmust be non-empty.user_idshould not expose unnecessary personal information.
Failure Responses
| Case | Suggested response | Middleware behavior |
|---|---|---|
Invalid or unknown tmp_code | {"message":"Invalid tmp_code","result_code":400} | Entry is rejected; user must return to Party A for a fresh entry. |
Expired tmp_code | {"message":"tmp_code expired","result_code":400} | Entry is rejected as expired; user must return to Party A. |
Replayed tmp_code | Same as invalid after first successful exchange | Entry is rejected. The middleware also has its own replay guard. |
| Party A temporary outage | HTTP 5xx, timeout, or malformed response | Middleware shows temporary unavailable/retry state. |
| Wrong token | HTTP 401 or equivalent | Treat as integration configuration issue; do not create a user. |
For expired codes, include the word expired or expire in message until both sides agree on a dedicated result code.
User Flow
Returning User
- Party A redirects with a fresh
tmp_code. - Middleware calls
getLoginID. - Middleware finds an existing mapping for
(partner, user_id). - Lobby opens immediately.
No captcha, username, or password is shown.
First-Time User
- Party A redirects with a fresh
tmp_code. - Middleware calls
getLoginID. - Middleware finds no existing mapping.
- Lobby shows a welcome screen.
- User clicks
Enjoy now. - Lobby fetches a fresh WSD captcha.
- User types only the captcha.
- Middleware creates the WSD account and opens the lobby.
Middleware API Reference
These endpoints are normally called by our lobby frontend after the browser redirect. Party A generally only needs the redirect contract and getLoginID API above.
POST /api/entry/party-a
{
"partner": "party-a-prod",
"tmpCode": "SX5D8KRLUQv7aecGUxbxGn"
}
Returning-user response
{
"status": "authenticated",
"session": {
"authenticated": true,
"userId": "usr_xxx",
"username": "pa***********",
"accountState": "active",
"wsdAccountMasked": "wsd***001"
},
"mapping": "existing"
}
First-time-user response
{
"status": "captcha_required",
"ticket": "ticket_xxx",
"captcha": {
"captchaId": "captcha_xxx",
"imageDataUrl": "data:image/png;base64,...",
"expiresAt": "2026-07-07T00:00:00.000Z"
}
}
POST /api/entry/party-a/register
Called by our lobby after the user enters the WSD captcha.
{
"ticket": "ticket_xxx",
"captchaCode": "1234"
}
POST /api/entry/party-a/register/refresh
Called by our lobby when the user requests a fresh captcha.
{
"ticket": "ticket_xxx"
}
Error Shape
{
"code": "PARTY_A_CODE_EXPIRED",
"message": "The entry code expired. Please return to Party A and try again.",
"retryable": false,
"requestId": "req_xxx"
}
| Code | Meaning | Recommended user action |
|---|---|---|
PARTY_A_PARTNER_UNKNOWN | Partner slug is wrong or disabled. | Check integration configuration. |
PARTY_A_CODE_INVALID | tmp_code is unknown or malformed. | Return to Party A and mint a new code. |
PARTY_A_CODE_EXPIRED | tmp_code expired. | Return to Party A and mint a new code. |
PARTY_A_CODE_REPLAYED | Same tmp_code was already processed. | Return to Party A and mint a new code. |
PARTY_A_UNAVAILABLE | Party A API could not be reached or returned bad response. | Retry after Party A/API recovery. |
PARTY_A_RATE_LIMITED | Too many attempts from this source. | Slow down and retry later. |
PARTY_A_REGISTRATION_CAPTCHA_INVALID | User typed wrong WSD captcha. | User can retry the captcha. |
PARTY_A_REGISTRATION_CAPTCHA_EXPIRED | WSD captcha expired. | Refresh captcha and retry. |
PARTY_A_REGISTRATION_FAILED | WSD registration temporarily failed. | Retry later or escalate with requestId. |
Security Notes
- The browser only receives
partnerandtmp_code; it never receives the server-to-server token. - The middleware never returns raw Party A
user_idto the browser. - The middleware stores the Party A user mapping server-side.
- The middleware generates WSD credentials internally and stores sensitive credential material encrypted.
tmp_code, tokens, and raw WSD credentials must not be logged by either side.- Production uses HTTPS for browser and server-to-server traffic.
Canary Test Plan
- Party A creates one test member and redirects to the lobby with a fresh
tmp_code. - First entry shows welcome screen, then one WSD captcha after
Enjoy now. - User enters captcha manually.
- Lobby opens.
- Same Party A member enters again with a new
tmp_code. - Lobby opens directly, with no captcha.
- Expired
tmp_codereturns expired state. - Replayed
tmp_codereturns replay/invalid state. - Disabled partner slug is rejected.
- Both sides confirm no duplicate WSD account or duplicate mapping was created.
Production Go-Live Checklist
- Final lobby URL confirmed as
https://launchqa.click/. - Final partner slug confirmed.
- Party A API base URL confirmed.
X-Auth-Tokenownership confirmed.- Party A confirms
tmp_codeTTL, single-use behavior, and error messages. - Party A confirms stable non-recycled
user_id. - IP allowlist complete, if Party A restricts server-to-server calls.
- One throwaway-member canary passes end to end.
- Real members remain disabled until both sides approve go-live.