lattice-auth — Identity & token issuance¶
Issues Ed25519 access/refresh tokens for guests, email accounts, and third-party identities;
manages bans and anti-cheat reputation. Source:
control-plane/lattice-auth/src/LatticeAuth/Program.cs.
- JWT:
iss=lattice-auth,aud=lattice,alg=EdDSA. Access-token TTL 10 min, refresh TTL 30 days. Email-login lockout after repeated failures: 15 min. - Access-token claims:
sub, sid, platform, roles[], region, iss, aud, iat, exp, jti. - DTOs use snake_case.
Auth / session¶
Anonymous unless noted.
| Method · Path | Purpose | Body → Response |
|---|---|---|
POST /guest |
guest login | {region?, device_fingerprint?} → TokenResponse{access_token, refresh_token, expires_in, account_id} |
POST /register |
email signup | {email, password, region?} → {account_id} |
POST /login |
email login | {email, password, device?} → TokenResponse |
POST /platform |
third-party login | {provider, ticket, device?} → TokenResponse |
POST /identity |
synonym for /platform |
{provider, ticket, device?} → TokenResponse |
POST /refresh |
rotate tokens | {refresh_token} → TokenResponse |
POST /logout |
revoke (Bearer JWT) | — → 204 |
Account / linked identities¶
Requires Bearer JWT.
| Method · Path | Purpose | Response |
|---|---|---|
GET /account |
profile + identities | AccountResponse{account_id, display_name, status, roles[], region, is_guest, identities:IdentityView[]} |
GET /account/identities |
linked identities | IdentitiesResponse{account_id, identities:IdentityView[]} |
POST /account/identities |
link a provider | {provider, ticket} → IdentityView{provider, provider_user_id, verified} |
DELETE /account/identities/{provider} |
unlink | 204 / 404 |
Bans & anti-cheat (RBAC)¶
| Method · Path | Role | Body / Response |
|---|---|---|
POST /admin/bans |
super-admin/admin (platform) or developer (must set game_id) |
{account_id, game_id?, reason?, expires_at?} → BanView{id, account_id, game_id?, reason, issued_by, created_at, expires_at?, lifted_at?, active} |
POST /admin/unban |
same | {account_id, game_id?} → {account_id, lifted} |
GET /admin/bans?account_id= |
admin | BanView[] |
GET /admin/flagged?game_id= |
admin | FlaggedView[]{account_id, game_id?, violation_count, severity_sum, last_violation_type?, last_seen_at} |
GET /bans/{accountId}?game_id= |
anonymous (boolean only, no PII) | BanCheckResponse{account_id, game_id?, banned} |
The /admin/flagged feed is fed by the anti-cheat on_violation scores
reported from game servers. The anonymous /bans/{accountId} check is what the
director / game server uses to refuse a banned account at connect time.
Infra¶
| Method · Path | Purpose |
|---|---|
GET /.well-known/jwks.json |
publish signing public keys (anonymous) |
GET /healthz, GET /readyz |
liveness / readiness |