Use the Access Token

After you have created the access token, you must include it in the authorization header of every Galaxy Store Developer API call (which includes the Content Publish API, IAP APIs, and GSS Metric API). The access token is valid only within the scope specified when the token was requested and it can only be used with a service account.

Authorization header parameters

The following header is required for authentication in order to use the Galaxy Store Developer API.

Attribute

Description

Authorization

Required. Use Bearer <your-access-token> where <your-access-token> is the access token you requested from the Galaxy Store authentication server

service-account-id

Required (except for the contentMetric GSS Metric API). The service account ID used to create the JWT associated with the access token (can be found in the Assistance > API Service area of Seller Portal)

content-type

Required for POST, PUT, and PATCH requests. Must be application/json (except for the fileUpload Content Publish API which uses multipart/form-data)

The following shows the header used with the Content Publish API to submit an app for review:

curl -i -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <your-access-token>" \
  -H "service-account-id: <your-service-account-id>" \
  -d '{"contentId": "000007654321"}' \
  "https://devapi.samsungapps.com/seller/contentSubmit"

The following example shows the header used with the IAP Publish API to get a list of in-app purchase items:

curl -X GET \
  -H  "Authorization: Bearer <your-access-token>" \
  -H  "service-account-id: <your-service-account-id>"
  "http://devapi.samsungapps.com/iap/v6/applications/com.example.mygame/items?page=1&size=1" \

Validate an access token

Verify that the access token being used is valid.

 GET /auth/checkAccessToken

Example:

curl -X GET \
  -H  "Authorization: Bearer <your-access-token>" \
  -H  "service-account-id: <your-service-account-id>" \
  "https://devapi.samsungapps.com/auth/checkAccessToken"

Response

Success

{ ok: true }

See Authentication errors for information about failed requests.

Revoke an access token

When an access token is created, it does not expire and it can be used as long as the service account is valid. You can use this method to revoke or cancel the access token.

  DELETE /auth/revokeAccessToken

Example:

curl -X DELETE \
  -H  "Authorization: Bearer <your-access-token>" \
  -H  "service-account-id: <your-service-account-id>" \
  "https://devapi.samsungapps.com/auth/revokeAccessToken"

Response

Success

{ ok: true }

See Authentication errors for information about failed requests.

Authentication errors

The following errors may occur during authentication while using the Galaxy Store Developer API.

Error Type

Status Code

Description

AUTH_REQUIRE

401

The access token or service account is not valid.

NO_PERMISSION

403

The service account does not have permission to use this API.

Example Responses to Authentication Failure

Invalid Access Token:

{
  "code":"AUTH_REQUIRE",
  "message":"Invalid accessToken",
  "from": "asgw"
}

Non-existent service account:

{
  "code":"AUTH_REQUIRE",
  "message":"Not found service account by serviceAccountId",
  "from": "asgw"
}