Access the Guild Wars 2 API
The Guild Wars 2 API supports JWT tokens, called subtokens by the API, in addition to the usual API key to authorize requests. You can request a subtoken from the gw2.me API so you can make authorized requests to the Guild Wars 2 API yourself.
Subtokens generated by gw2.me are only valid for a short time (usually 10 minutes). This is because subtokens can not be invalidated and should stop working shortly after the user removes the authorization for your app.
Get Accounts
Before you can request a subtoken, you will need to get the list of accounts the user has shared with your application. Make a request to https://gw2.me/api/accounts
. You will need to pass your access_token
as a header (Authorization: Bearer <access_token>
). This requires the accounts
scope.
The response will be a JSON object with the list of accounts with the account id and name as returned by the /v2/accounts
Guild Wars 2 API endpoint.
{
"accounts": [
{
"id": "C2BFF77D-B669-E111-809D-78E7D1936EF0",
"name": "darthmaim.6017",
"shared": false
}
]
}
If the scopes include accounts.displayName
, each account object will include the displayName
the user has set (or null
, if the user has not set a custom display name). Similarly, if the scope accounts.verified
is included, the response will contain the boolean verified
with the ownership verification status of each account.
Users can share accounts with other users. Shared accounts will have shared: true
set. You can use this flag to prohibit or highlight these accounts in your app. The verified
property will be false if the authorization includes the accounts.verified
scope, as the user is not the owner of the account. Shared accounts otherwise work the same as regular accounts.
Request Subtoken
Now you can request a subtoken for an account. Make a request to https://gw2.me/api/accounts/<accountId>/subtoken
, again including the Authorization: Bearer <access_token>
header. You can optionally include the permissions
query parameter with comma-separated permissions to request a specific subset of permissions.
The response will include the generated subtoken and the expiration timestamp of that subtoken.
{
"subtoken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJpU0V6M3NBOC1PejdteUUtVTEwbW53dWM2ZlFxMzh3dm5TRU45SVlnMGdZIiwiaWF0IjoxNjk4OTI3MTA4LCJleHAiOjE2OTg5Mjc3MDgsInBlcm1pc3Npb25zIjpbImFjY291bnQiXX0.YZRAmJ8o-T6c0r4IHspy3S2Nqz7zEBtc22b36xzbL6g",
"expiresAt": "2023-11-02T12:21:48.000Z"
}
It is currently not possible to request multiple subtokens in bulk with one request.