Skip to content

Changes

Page history
Create Nintendo tokens authored by Samuel Elliott's avatar Samuel Elliott
Hide whitespace changes
Inline Side-by-side
Nintendo-tokens.md 0 → 100644
View page @ 8619d0f7
Nintendo Account session token
---
JSON web token. Valid for 63072000 seconds (two years).
Session tokens are used to obtain an id_token and access_token. Both tokens have different `jti` values despite being issued together.
### Example header
```json
{
"alg": "HS256"
}
```
### Example payload
Type:
https://gitlab.fancy.org.uk/samuel/nxapi/-/blob/d548a0e37ed9bb02c8bae728aba754f595fc8d0c/src/api/na.ts#L92-103
Audience and "st:scp" (scope?) is for the Nintendo Switch Online app.
```json
{
"jti": "0000000000",
"typ": "session_token",
"iss": "https://accounts.nintendo.com",
"st:scp": [
0,
8,
9,
17,
23
],
"sub": "0123456789abcdef",
"exp": 63072000,
"aud": "71b963c1b7b6d119",
"iat": 0
}
```
Nintendo Account id_token
---
JSON web token signed by one of the keys in https://accounts.nintendo.com/1.0.0/certificates. Valid for 900 seconds (15 minutes).
Used by the Nintendo Switch Online app to obtain a Nintendo Switch Online app token.
### Example header
kid is any kid in https://accounts.nintendo.com/1.0.0/certificates. These keys seem to change very frequently.
```json
{
"alg": "RS256",
"kid": "29f48035-0b6e-45e9-ba64-543a6fd17183",
"jku": "https://accounts.nintendo.com/1.0.0/certificates"
}
```
### Example payload
Type: https://gitlab.fancy.org.uk/samuel/nxapi/-/blob/d548a0e37ed9bb02c8bae728aba754f595fc8d0c/src/api/na.ts#L112-124
Token ID is a v4 UUID. The format of `at_hash` is unknown. Audience is for the Nintendo Switch Online app.
```json
{
"country": "GB",
"jti": "00000000-0000-0000-0000-000000000000",
"exp": 900,
"at_hash": "",
"typ": "id_token",
"iat": 0,
"iss": "https://accounts.nintendo.com",
"sub": "0123456789abcdef",
"aud": "71b963c1b7b6d119"
}
```
Nintendo Account access token
---
JSON web token signed by one of the keys in https://accounts.nintendo.com/1.0.0/certificates. Valid for 900 seconds (15 minutes).
Used by the Nintendo Switch Parental Controls app to access the Parental Controls API (moon).
### Example header
kid is any kid in https://accounts.nintendo.com/1.0.0/certificates. These keys seem to change very frequently.
```json
{
"jku": "https://accounts.nintendo.com/1.0.0/certificates",
"kid": "354c2df8-e152-4ac4-ad7e-c3fdc4464b7d",
"alg": "RS256"
}
```
### Example payload
Type: https://gitlab.fancy.org.uk/samuel/nxapi/-/blob/d548a0e37ed9bb02c8bae728aba754f595fc8d0c/src/api/na.ts#L125-137
Token ID is a v4 UUID. The format of `at_hash` and `ac:grt` is unknown. Audience and "ac:scp" (scope?) is for the Nintendo Switch Online app.
```json
{
"aud": "71b963c1b7b6d119",
"typ": "token",
"sub": "0123456789abcdef",
"iat": 0,
"iss": "https://accounts.nintendo.com",
"ac:grt": 0,
"exp": 900,
"ac:scp": [
0,
8,
9,
17,
23
],
"jti": "00000000-0000-0000-0000-000000000000"
}
```
Nintendo Switch Online app token
---
JSON web token. Valid for 7200 seconds (two hours).
Used to access the Nintendo Switch Online app API (znc) and obtain web service tokens.
### Example header
```json
{
"typ": "JWT",
"alg": "HS256"
}
```
### Example payload
Type: https://gitlab.fancy.org.uk/samuel/nxapi/-/blob/d548a0e37ed9bb02c8bae728aba754f595fc8d0c/src/api/znc.ts#L173-185
Audience is for the Nintendo Switch Online app. `sub` is the Nintendo Switch Online user ID (`id`, not `nsaId`).
```json
{
"isChildRestricted": false,
"membership": {
"active": true
},
"aud": "f417e1tibjqd91ch99u49iwz5sn9chy3",
"exp": 7200,
"iat": 0,
"iss": "api-lp1.znc.srv.nintendo.net",
"sub": 0,
"typ": "id_token"
}
```
Nintendo Switch Online app web service token
---
JSON web token signed by one of the keys in https://api-lp1.znc.srv.nintendo.net/v1/WebService/Certificate/List. Valid for 7200 seconds (two hours).
Used to authenticate to web services (e.g. SplatNet 2). The Nintendo Switch Online app requests a web service token then sends it in the `x-gamewebtoken` header in the first request. The app also exposes a JavaScript API to allow the web service to request a new token if it expires, although web services don't usually need a web service token again as they initial request sets a HTTP cookie session token.
### Example header
kid is any kid in https://api-lp1.znc.srv.nintendo.net/v1/WebService/Certificate/List. These keys seem to change very frequently.
```json
{
"typ": "JWT",
"alg": "RS256",
"kid": "Ey4LiM1R9tJOnjL8t00CY3BkhfI",
"jku": "https://api-lp1.znc.srv.nintendo.net/v1/WebService/Certificate/List"
}
```
### Example payload
Type: https://gitlab.fancy.org.uk/samuel/nxapi/-/blob/d548a0e37ed9bb02c8bae728aba754f595fc8d0c/src/api/znc.ts#L186-205
Audience is for SplatNet 2. `sub` is the Nintendo Switch Online user ID (`id`, not `nsaId`) - `links.networkServiceAccount.id` is the user `nsaId`.
Known `aud` values:
- `5vo2i2kmzx6ps1l1vjsjgnjs99ymzcw0` - SplatNet 2 web service token
- `6699641390694400` - NookLink web service token
- `5410106071449600` - Smash World web service token
```json
{
"isChildRestricted": true,
"aud": "5vo2i2kmzx6ps1l1vjsjgnjs99ymzcw0",
"exp": 7200,
"iat": 0,
"iss": "api-lp1.znc.srv.nintendo.net",
"jti": "00000000-0000-0000-0000-000000000000",
"sub": 0,
"links": {
"networkServiceAccount": {
"id": "0123456789abcdef"
}
},
"typ": "id_token",
"membership": {
"active": true
}
}
```
SplatNet 2 iksm_session
---
Every SplatNet 2 request includes an iksm_session cookie in the response. If an iksm_session cookie was sent in the request the value in the response will be the same. iksm_session cookies are set even if a web service token is not set. The cookie includes an expiration time of 1 day from the time of the request. Various projects (e.g. splatoon2.ink) have used the same iksm_session for a long time. So iksm_session appears to valid for 1 day from last use.