This document contains all the endpoints available with Supercell ID API.
All the endpoints below are on the root url https://ingame.id.supercell.com/api
.
A small note on authentication here, Supercell ID requires you to authenticate using a JWT for every endpoint below and that JWT is passed on by the game client (using supercellid://
URL Scheme). As we do not have the private key to generate the JWTs, only those endpoints are well documented which work without authentication/work on the principle of least privileged authentication.
-
POST /account/login
Headers : None other than the default ones.
Body : URL Encoded body (
application/x-www-form-urlencoded
) with the following parameters. Example:email=me@example.com&env=prod&game=soil&lang=en
Parameter Possible Value game
Refer the table below. email
The email address on which the code is to be sent. Has the same use in all the endpoints below. env
The game environment. For production environment use prod
lang
An ISO 639-1 Language Code in which the mail is to be sent. If the language is not supported, English will be used as fallback language. Possible values for
game
parameter.Game (Common Name) Value for game
(Codename)Hay Day soil
Clash of Clans magic
Boom Beach reef
Clash Royale scroll
Brawl Stars laser
Body :
{ "ok":true }
-
POST /account/login.validate
Headers : None except default ones.
Body : URL Encoded body (
application/x-www-form-urlencoded
) with theemail
&pin
parametres. (pin
is the six-digit code you receive on your email)Body:
{"ok" : true, "data" : { "email" : "<Email to which code was sent>", "isValid" : true, "isBound" : true, "application" : { "application" : "<game paramater hyphenated by environment>", // Eg. scroll-prod "account" : "<Player Tag>", // Eg. #8PRLVC0J "username" : "<Player Name>", // Eg. OJ "progress" : [ "<XP Level>", "<XP Points>" ] // Eg. [5,820] }, "system" : { "system" : "<Game parameter>", //Eg. scroll "account" : "<Player Tag>", // Eg. #8PRLVC0J "username" : "<Player Name>", // Eg. OJ "progress" : [ "<XP Level>", "<XP Points>" ] // Eg. [5,820] } }}
-
POST /account/login.confirm
Headers : Default.
Body : Same as in
/account/login.validate
.Body :
{ "ok" : true, "data" : { "scid" : "<An ES256 JWT for authentication>", // The body contains game (Game codename eg. scroll), pid (Contains high and low components of tag in XXX-YYY format), env (Environment eg. prod), iat (timestamp) & scid claims. "scidToken" : "<An ES256 OpenID JWT>", // Practically both the tokens carry same claims but are signed using different keys. "bindToken" : "<A token which is used to login on the game client> (Requires Authentication)", // Not much information is available on the type and kind of this token because it requires authentication. The scid JWT does not have required privileges to get this token. "email" : "<Email to which the code was sent>" }}
-
POST /account/links.get
Headers : Requires at least the
scid
Bearer token obtained using/account/login.confirm
endpoint which is used for authentication using theAuthorization
header. Example :Authorization: Bearer <scid>
Body : URL Encoded body (
application/x-www-form-urlencoded
) with thescid_token
parameter containingscidToken
from the/account/login.confirm
response.Body:
{ "ok" : true, "data" : { "attributionId" : "<A GUID/UUID without hyphens for internal use>", // Eg. 835dd13bb5b846279b0d30c9bf41746d "system" : "<The name of the game on whose behalf the request was made>", // Eg. Clash Royale "links" : [ // An array of 5 objects(as of now) { "system" : "Unknown/<Game Name> (If Unknown, the player has not linked his account with the particular game, if a game name appears, the player has linked his account with the particular game.)" // Eg. Clash Royale } ] } }
Note : The above endpoint requires authentication. Since,
scid
token is not a fully privileged token, some fields in the response body may be missing. -
POST /account/settings.get
Headers : Requires at least the
scid
Bearer token obtained using/account/login.confirm
endpoint which is used for authentication using theAuthorization
header. Example :Authorization: Bearer <scid>
Body : Same as
/account/links.get
Body:
{ "ok": true, "data": { "created": "<An ISO 8601 timestamp indicating the time when the Supercell ID was created>", // Eg. 2022-03-21T16:02:35.560Z "lang": "<An ISO 639-1 Language Code>", "email_marketing_permission": false, "email_marketing_timestamp": "<An ISO 8601 timestamp indicating the time when the email marketing setting was last changed>", // Eg. 2022-03-21T16:02:35.560Z "marketing_scope_consents": [ { "scope_id": "beatstar", "scope_localized_name": "Beatstar", "scope_consent": true }, { "scope_id": "boombeach", "scope_localized_name": "Boom Beach", "scope_consent": false }, { "scope_id": "brawlstars", "scope_localized_name": "Brawl Stars", "scope_consent": true }, { "scope_id": "clashofclans", "scope_localized_name": "Clash of Clans", "scope_consent": false }, { "scope_id": "clashroyale", "scope_localized_name": "Clash Royale", "scope_consent": true }, { "scope_id": "hayday", "scope_localized_name": "Hay Day", "scope_consent": false }, { "scope_id": "supercell", "scope_localized_name": "Supercell News", "scope_consent": true } ] // All the booleans above can be either true/false. } }
Note : The above endpoint requires authentication. Since,
scid
token is not a fully privileged token, some fields in the response body may be missing. -
POST /account/settings.set
Headers : Requires at least the
scid
Bearer token obtained using/account/login.confirm
endpoint which is used for authentication using theAuthorization
header. Example :Authorization: Bearer <scid>
Body : URL Encoded body (
application/x-www-form-urlencoded
) with thescid_token
parameter containingscidToken
from the/account/login.confirm
response andaccept_marketing
parameter which is eithertrue
orfalse
to change the email marketing setting.Body : Same as in
/account/settings.get
Note : The above endpoint requires authentication. Since,scid
token is not a fully privileged token, some fields in the response body may be missing.
In any of the cases above, you will get Unauthorized
response from the endpoints which require authentication and you don't authenticate.
If there is some other error you will get a response body like the below one.
{
"ok":false,
"error":"<An error message>" //Eg. bad_request,binding_not_found etc
}
In addition to the above all endpoints, there are 2 more endpoints as listed below.
POST /account/create
POST /account/create.confirm
The endpoints above are used to create new Supercell IDs. These have not been documented as they require authentication and the scid
JWT does not carry enough privileges to authenticate with the above endpoints. Most probably the JWT received from the game client is the one which can be used to successfully authenticate with them. Also, the /account/create
endpoint is protected by Google's Recaptcha (that does not matter much anyways because it is easy to get the captcha API token, the main difficulty is obtaining a JWT 😅).