Authentication

All GamerSafer API requests are authenticated using a Guild Token — a JWT issued by GamerSafer for your organization's guild.

Sending the Token

Include the token in the Authorization header with a Bearer prefix on every request:

Authorization: Bearer <YOUR_GUILD_TOKEN>

Full request example:

POST /guilds/invites HTTP/1.1
Host: api.gamersafer.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Content-Type: application/json

{
  "internalId": "player-123",
  "webhookUrl": "https://your-backend.com/webhooks/gamersafer"
}

Getting Your Guild Token

Guild Tokens are issued by the GamerSafer team during onboarding. Contact your GamerSafer integration contact to request your token.

Rotating Your Guild Token

You can rotate your token programmatically at any time:

PUT /guilds/refresh-api-token
Authorization: Bearer <YOUR_CURRENT_GUILD_TOKEN>

After rotation, the old token is immediately invalidated. Update your environment variables before rotating to avoid downtime.

Security Best Practices

Never expose the Guild Token in client-side code — all API calls must go through your backend.
Store the token in an environment variable or secrets manager (e.g., AWS Secrets Manager, Vault).
Rotate the token if you suspect it has been leaked.
Do not log the full token value in application logs.