Use the Access Token

After you have created the access token, you must include it in the authorization header of every Galaxy Store Developer API call (which includes the Content Publish API, IAP Orders API, IAP Publish API, and GSS Metric API). The access token is valid only within the scope specified when the token was requested and it can only be used with a service account.

DangerDo not store an access token on a client or a web project as it risks exposing the private key of your service account. The access token should be safely stored and used in an environment where there is no risk of exposure to others (for example, on the server side).

Authorization header parameters

The following header is required for authentication in order to use the Galaxy Store Developer API.

Attribute	Description
Authorization	Required. Use `Bearer <your-access-token>` where <your-access-token> is the access token you requested from the Galaxy Store authentication server
service-account-id	Required. The service account ID used to create the JWT associated with the access token (can be found in the Assistance > API Service area of Seller Portal)
content-type	Required for POST, PUT, and PATCH requests. Must be `application/json`

The following example shows the header used with the IAP Publish API to get a list of in-app purchase items:

curl -X GET \
  -H  "Authorization: Bearer <your-access-token>" \
  -H  "service-account-id: <your-service-account-id>"
  "http://devapi.samsungapps.com/iap/v6/applications/com.example.mygame/items?page=1&size=1" \

Validate an access token

Verify that the access token being used is valid.

 GET /auth/checkAccessToken

Example:

curl -X GET \
  -H  "Authorization: Bearer <your-access-token>" \
  -H  "service-account-id: <your-service-account-id>" \
  "https://devapi.samsungapps.com/auth/checkAccessToken"

Response

Success

{ ok: true }

See Authentication errors for information about failed requests.

Revoke an access token

When an access token is created, it does not expire and it can be used as long as the service account is valid. You can use this method to revoke or cancel the access token.

  DELETE /auth/revokeAccessToken

Example:

curl -X DELETE \
  -H  "Authorization: Bearer <your-access-token>" \
  -H  "service-account-id: <your-service-account-id>" \
  "https://devapi.samsungapps.com/auth/revokeAccessToken"

Response

Success

{ ok: true }

See Authentication errors for information about failed requests.

Authentication errors

The following errors may occur during authentication while using the Galaxy Store Developer API.

Error Type	Status Code	Description
AUTH_REQUIRE	401	The access token or service account is not valid.
NO_PERMISSION	403	The service account does not have permission to use this API.

Example Responses to Authentication Failure

Invalid Access Token:

{
  "code":"AUTH_REQUIRE",
  "message":"Invalid accessToken",
  "from": "asgw"
}

Non-existent service account:

{
  "code":"AUTH_REQUIRE",
  "message":"Not found service account by serviceAccountId",
  "from": "asgw"
}