Skip to main content

Your next project starts here.

We provide you all the tools you need to integrate with Xbox Live API on the web.

Get started for free! Sign up here

Instantly get access with 150 requests per hour. Options are available to increase this limit.

The OpenXBL API is designed using REST. Every call is predictable and uses HTTP response codes to indicate API errors. We use built-in HTTP features like HTTP X-Authorization and Accept headers which are understood by HTTP clients. OpenXBL supports cross-origin resource sharing (CORS) allowing you to interact with the API from a client-side application. JSON is returned by all API responses unless otherwise configured. The API supports JSON and XML responses.

PHP Wrapper

We have provided an easy to use wrapper on GitHub written in PHP. Simpily upload the file to your server and include it in your project. Immediatley tap into the power of Xbox Live. The wrapper supports HTTPS GET and POST methods.


If you are not using PHP as your primary language - no problem!

The API base url is

Provide the X-Authorization request header with a value of one of your API keys

If using an app also provide X-Contract: 100


$ curl --header "X-Authorization: API_KEY"

Request Headers

These are acceptable request headers

// Your (or your clients) authorization key
X-Authorization: [API Key, APP Key]

// Format of response
Accept: [application/json, application/xml]

// Language
Accept-Language: [en-US, de-DE, etc]

// Calls that come from your app
X-Contract: 100

Response Headers

In the header of every call includes your rate limit information which is useful to determine if you're about to exhaust your hourly limit.

HTTP/1.1 200 OK

Content-Type: application/json

X-RateLimit-Limit: 500

X-RateLimit-Spent: 32

X-RateLimit-Remaining: 468

Integrating OpenXBL into your project could not be easier. Follow this guide and watch our step-by-step video!

How does it work?

Your clients will start by first authenticating with Microsoft and then grant consent to share information with the app you created in Azure.

Microsoft will then send a handshake request to and from there we will send the client off to your app.

Once the client lands on your app there will be a "code" parameter in the URL. Your app will then make a claims request to to retrieve the private client key.

If you plan to store this key in a database you should first encrypt it and only use it when you need to make a request for information on behalf of the client (such as getting messages or friends list).

Are you a client? Did you know...

At any point in time clients can disassociate themselves with apps by navigating to Further requests against the client key will be denied.