Developer Documentation

Authentication

Secure OAuth2 implementation and API key management for NexusLaunch integrations. One Launcher. Infinite Worlds.

Configure OAuth2 Security Guidelines

OAuth2 Authorization Flow

NexusLaunch uses the OAuth 2.0 authorization code grant type with PKCE for all third-party integrations. Redirect users to our identity provider at https://auth.nexuslaunch.io/connect/authorize to initiate secure session handshakes.

After successful authentication, the identity server returns a short-lived authorization code to your registered redirect URI. Exchange this code for an access token and refresh token by posting to https://auth.nexuslaunch.io/connect/token. Access tokens expire after 3600 seconds, while refresh tokens remain valid for 2592000 seconds unless explicitly revoked.

Step 1: Authorization Request

Append client_id=nl_prod_8a9f2c, scope=openid profile launcher.read, code_challenge_method=S256, and your redirect_uri to the authorization endpoint. Ensure your application's state parameter is cryptographically random to prevent CSRF.

Step 2: Token Exchange

Submit a POST request with grant_type=authorization_code, your code_verifier, and the received authorization code. The response payload includes access_token, refresh_token, id_token, and expires_in fields formatted as standard JWTs.

Step 3: Session Validation

Validate the id_token signature against our public JWKS endpoint at https://auth.nexuslaunch.io/.well-known/jwks.json. Verify the iss, aud, and exp claims before granting access to protected launcher resources.

API Key Management & Security

Server-to-server integrations require scoped API keys generated through the NexusLaunch Developer Console. Never embed credentials in client-side bundles or public repositories.

Each API key is bound to a specific project environment and supports granular permission sets. Rotate keys every 90 days using the console's automated rotation feature, which maintains dual-key availability during transition periods to prevent service disruption.

Enforce Least Privilege

Assign only the minimum required scopes. For matchmaking services, use match.create and match.read instead of the legacy launcher.full_access scope. Audit permissions quarterly via the GET /v2/integrations/keys endpoint.

Rate Limiting & Throttling

NexusLaunch enforces a baseline rate limit of 120 requests per minute per API key. Implement exponential backoff starting at 500ms when receiving 429 Too Many Requests responses. Burst allowances reset at the top of each UTC hour.

Secret Storage & Rotation

Store API keys in encrypted environment variables or dedicated secret managers like HashiCorp Vault. Trigger automatic rotation before the 90-day expiry window. Deprecated keys receive a 14-day grace period before hard revocation.