Introduction

The OpenXBL API is designed using REST and returns data from Xbox services. Every call is predictable and uses HTTP response codes to indicate API errors. We use built-in HTTP features like HTTP X-Authorization and Accept headers which are understood by HTTP clients. OpenXBL supports cross-origin resource sharing (CORS) allowing you to interact with the API from a client-side application. JSON is returned by all API responses unless otherwise configured. The API supports JSON and XML responses.

Getting Started

If you're using a personal API Key generated from your profile you can jump right in by passing that private key into the `X-Authorization` header. You can use this credential to make requests against the account you used to sign-in with.

If you are interested in creating an app you should first create one in your profile. The value used in the `X-Authorization` header will be the App Key that is returned after making a claims request.

In addition to a claims request an app must also pass an additional static header `X-Contract` with the value `100`. This will let OpenXBL know that the X-Authorization value you are about to use is designated for your consumers account.

App Key

When a consumer signs into your app by visiting https://xbl.io/app/auth/{YourPublicKey} they will be directed to the Microsoft login screen. Aside from being known network traffic OpenXBL is only used to faciliate the handshake between the consumer and your application.

Upon successful login they will redirect to the route of your choosing with a "code" URL query parameter. This code value must be claimed within a few minutes to get the consumers actual secret key to begin making requests.

Claims Request

A claims request is an additional measure taken to validate the secret key is headed to the right place. If not claimed within a few minutes the request be will invalidated. The secret key can only be claimed once.

The next step is to make a POST request to https://xbl.io/app/claim as shown below. The code parameter is taken from the URL query parameter and "app_key" is the application public key used to make the request.

curl -X POST https://xbl.io/app/claim -H "Content-Type: application/json" -d '{"code": "string", "app_key": "string"}'

The Basics

The API base url is https://xbl.io//api/v2

Provide the X-Authorization request header with a value of one of your API Keys or App Keys.

If you're using an app then include the X-Contract: 100 request header.

curl --header "X-Authorization: API_KEY" https://xbl.io//api/v2/account

PHP Wrapper

Out of the box OpenXBL has prepared a wrapper that can be used in PHP projects. We do plan to add wrappers for other languages in the future so be sure to check back!

Upon successful login they will redirect to the route of your choosing with a "code" URL query parameter. This code value must be claimed within a few minutes to get the consumers actual secret key to begin making requests.

Simpily upload the file to your server and include it in your project. Immediatley tap into the power of Xbox Live. The wrapper supports HTTPS GET and POST methods.

Request Headers

These are acceptable request headers

// You (or your consumers) authorization key.
X-Authorization: [API Key, APP Key]

// Format of response.
Accept: [application/json, application/xml]

// Language.
Accept-Language: [en-US, de-DE, etc]

// Calls that come from your app.
X-Contract: 100	
					

Response Headers

In the header of every call includes your rate limit information which is useful to determine if you're about to exhaust your hourly limit.

HTTP/1.1 200 OK

Content-Type: application/json

X-RateLimit-Limit: 500

X-RateLimit-Spent: 32

X-RateLimit-Remaining: 468
					

Additional Guides

There is a video tutorial on creating apps as well as some other useful links on our Guides page.