ModVault Secure Mods. Seamless Installs.
Authentication - ModVault Docs

Secure Mods. Seamless Installs.

Authenticate API requests using OAuth2 or scoped API keys to manage mod deployments, user permissions, and repository access.

View OAuth2 Flow Manage API Keys

OAuth2 Authorization Flow

Implement the standard authorization code flow to allow players to grant your launcher or web dashboard secure, temporary access to their ModVault account without storing passwords.

Begin by registering your application in the ModVault Developer Console to receive a Client ID and Client Secret. Redirect users to `https://auth.modvault.io/oauth/authorize` with your client ID, redirect URI, and requested scopes (`mod:read`, `mod:write`, `user:profile`). Upon approval, ModVault returns an authorization code to your callback endpoint. Exchange this code for an access token and refresh token by POSTing to `https://auth.modvault.io/oauth/token`. Tokens expire after 3600 seconds; use the refresh endpoint to maintain sessions without re-prompting users. All token requests must include your Client Secret in the `Authorization` header as a Basic Auth credential.

API Key Generation & Management

Use long-lived API keys for server-side integrations, CI/CD pipelines, and automated mod compilation services that require persistent repository access.

Generate keys directly from your ModVault dashboard under Settings > API Access. Each key supports granular scoping: limit permissions to specific repositories like `r/stellaris-mods` or restrict actions to `upload`, `download`, or `webhook:manage`. Keys are prefixed with `mv_live_` for production and `mv_test_` for sandbox environments. Rotate keys every 90 days or immediately upon suspected compromise. Deleted keys are permanently revoked and cannot be recovered.

Store Keys Securely

Never commit API keys to public Git repositories or client-side JavaScript bundles. Use environment variables (`.env` files) or secret managers like HashiCorp Vault and AWS Secrets Manager. Validate keys in staging before deploying to production endpoints.

Rate Limits & Quotas

Authenticated requests allow up to 1200 calls per hour per key. Unauthenticated endpoints are capped at 60 requests per hour. Monitor usage via the `X-RateLimit-Remaining` header and implement exponential backoff when hitting `429 Too Many Requests` responses.

Webhook Verification

ModVault signs all webhook payloads with HMAC-SHA256 using your API key secret. Verify the `X-ModVault-Signature` header before processing mod update events, dependency changes, or user subscription notifications to prevent spoofed requests.