API Authentication
Instant Game Update Intelligence
API Keys
Access the PatchPulse API by generating a dedicated key through your developer dashboard. Each key is scoped to specific read/write permissions and tied to your registered application ID.
Generate Your Key
Navigate to Developer Console → Credentials → Create New Secret. Assign scopes like `patch.read`, `game.metadata`, or `user.subscriptions`. Your secret key (prefixed with `pp_`) will appear once and must be stored securely in your environment variables.
Key Rotation
Automate lifecycle management with our rotation endpoint. Keys expire after 90 days unless refreshed via `POST /v2/auth/rotate`. Receive Slack or webhook alerts 72 hours before expiration to prevent pipeline downtime.
Rate Limits
Standard keys allow 1,200 requests per minute per IP. Enterprise tiers scale to 8,500 RPM. Exceeding thresholds returns `429 Too Many Requests` with a `Retry-After` header in seconds. Burst allowances are capped at 150 concurrent connections.
OAuth 2.0 Flow
For applications requiring player-specific patch histories, wishlist tracking, or notification preferences, implement our PKCE-enhanced OAuth 2.0 authorization code flow.
Authorization Request
Redirect users to `https://auth.patchpulse.io/authorize` with your `client_id`, `redirect_uri`, `code_challenge`, and requested scopes. PatchPulse supports `openid`, `profile`, and `patch.write` scopes for third-party integrations.
Token Exchange
Exchange the authorization code for access and refresh tokens via `POST /oauth/token`. Access tokens are JWTs valid for 3600 seconds. Refresh tokens use rotating issuance and remain active for 14 days of inactivity before requiring re-authentication.
Implementation Tips
Use state parameters to prevent CSRF attacks. Validate the `aud` claim matches `api.patchpulse.io`. Cache tokens securely and implement silent refresh logic to maintain uninterrupted session continuity across dashboard reloads.
Security & Compliance
PatchPulse enforces strict security standards to protect developer infrastructure and player data. All endpoints require TLS 1.3 and mandate cryptographic verification.
Signature Verification
Webhook payloads include an `X-PatchPulse-Signature` header. Verify using HMAC-SHA256 with your webhook secret. Reject requests older than 5 minutes to mitigate replay attacks and ensure event ordering integrity.
Data Residency
Token issuance and authentication metadata are processed in AWS us-east-1 and eu-west-2. Player-linked data never leaves your designated region unless explicitly routed through our cross-border sync API with explicit user consent.
Audit Logging
Every authentication event generates an immutable audit trail. Access logs via `GET /v2/audit/auth` or export to SIEM platforms. Logs retain source IP, user-agent, scope granted, and timestamp for 365 days to meet SOC 2 Type II requirements.