Authentication

All requests must be signed using HMAC SHA-256. This protects against tampering and replay attacks.

Required headers

GLX-Game-Key: YOUR_GAME_KEY
GLX-Timestamp: 2025-08-10T14:23:00Z
GLX-Signature: <HMAC_SHA256>

GLX-Timestamp must be UTC ISO 8601 or epoch seconds.
Server enforces a small clock skew window (e.g., ±120s) to prevent replay.

Signature format

[method][endpoint][querystring][body][game_secret][timestamp]

Concatenate exactly in that order (empty segments are empty strings), then compute HMAC-SHA256 with your game_secret, hex encode (lowercase).

Example (C#)

var method = "POST";
var endpoint = "/events/hit";
var query = ""; // empty for POST without query
var body = "{\"player_id\":\"p_123\",\"event_type\":\"achievement\"}";
var secret = GAME_SECRET;
var timestamp = DateTime.UtcNow.ToString("o");

var payload = $"{method}{endpoint}{query}{body}{secret}{timestamp}";
using var hmac = new System.Security.Cryptography.HMACSHA256(System.Text.Encoding.UTF8.GetBytes(secret));
var signature = Convert.ToHexString(hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(payload))).ToLowerInvariant();

Common verification failures

Different JSON ordering/whitespace between client and server body (normalize consistently).
Missing querystring in signature for GET calls.
Timestamp outside allowed skew or not UTC.

Full code (Godot, JS, C#), error codes, and troubleshooting are available in the member docs. Join now to unlock.