Skip to content

lattice-auth — Identity & token issuance

Issues Ed25519 access/refresh tokens for guests, email accounts, and third-party identities; manages bans and anti-cheat reputation. Source: control-plane/lattice-auth/src/LatticeAuth/Program.cs.

  • JWT: iss=lattice-auth, aud=lattice, alg=EdDSA. Access-token TTL 10 min, refresh TTL 30 days. Email-login lockout after repeated failures: 15 min.
  • Access-token claims: sub, sid, platform, roles[], region, iss, aud, iat, exp, jti.
  • DTOs use snake_case.

Auth / session

Anonymous unless noted.

Method · Path Purpose Body → Response
POST /guest guest login {region?, device_fingerprint?}TokenResponse{access_token, refresh_token, expires_in, account_id}
POST /register email signup {email, password, region?}{account_id}
POST /login email login {email, password, device?}TokenResponse
POST /platform third-party login {provider, ticket, device?}TokenResponse
POST /identity synonym for /platform {provider, ticket, device?}TokenResponse
POST /refresh rotate tokens {refresh_token}TokenResponse
POST /logout revoke (Bearer JWT) — → 204

Account / linked identities

Requires Bearer JWT.

Method · Path Purpose Response
GET /account profile + identities AccountResponse{account_id, display_name, status, roles[], region, is_guest, identities:IdentityView[]}
GET /account/identities linked identities IdentitiesResponse{account_id, identities:IdentityView[]}
POST /account/identities link a provider {provider, ticket}IdentityView{provider, provider_user_id, verified}
DELETE /account/identities/{provider} unlink 204 / 404

Bans & anti-cheat (RBAC)

Method · Path Role Body / Response
POST /admin/bans super-admin/admin (platform) or developer (must set game_id) {account_id, game_id?, reason?, expires_at?}BanView{id, account_id, game_id?, reason, issued_by, created_at, expires_at?, lifted_at?, active}
POST /admin/unban same {account_id, game_id?}{account_id, lifted}
GET /admin/bans?account_id= admin BanView[]
GET /admin/flagged?game_id= admin FlaggedView[]{account_id, game_id?, violation_count, severity_sum, last_violation_type?, last_seen_at}
GET /bans/{accountId}?game_id= anonymous (boolean only, no PII) BanCheckResponse{account_id, game_id?, banned}

The /admin/flagged feed is fed by the anti-cheat on_violation scores reported from game servers. The anonymous /bans/{accountId} check is what the director / game server uses to refuse a banned account at connect time.

Infra

Method · Path Purpose
GET /.well-known/jwks.json publish signing public keys (anonymous)
GET /healthz, GET /readyz liveness / readiness
Guest login → matchmake
TOKEN=$(curl -s -X POST http://auth/guest -d '{"region":"eu"}' \
        -H 'content-type: application/json' | jq -r .access_token)
curl -s -X POST http://director/matchmake -H "authorization: Bearer $TOKEN" \
     -H 'content-type: application/json' -d '{"region":"eu","mode":"ffa"}'