Talk:Legacy Mojang Authentication

Jump to navigation Jump to search

New Base URL

Since the new base url used for authentication is does that mean it would use or ?

The URL is just "". Post straight there with the content "user=...&password=...&version=..." (without quotes). ~ Ribose · 19:29, 20 October 2011 (MST)

New auth response?

I'm now seeing the auth server respond with (in the HTTP body) the following: "2\r\nOK\r\n0\r\n\r\n" (interpret that as a C string). Anyone seen different, or have any insights?

--Huin 15:19, 20 November 2011 (MST)

What URL specifically? Barneygale 05:44, 21 November 2011 (MST)
Sorry - should have said: I was having trouble with my implementation of the minecraft server (ChunkyMonkey), and decided to sniff the traffic that the official server was sending, and got the above. --Huin 12:19, 21 November 2011 (MST)
Just realised that that was probably the client. I'm gonna run another packet sniff. --Huin 12:21, 21 November 2011 (MST)
So the URL I was really interested in was the checkserver one, i.e /game/checkserver.jsp?user=XXXX&serverId=XXXX - for which the response is quite similar: "3\r\nYES\r\n0\r\n\r\n" --Huin 12:46, 21 November 2011 (MST)
So this is actually HTTP chunking. See how you've got a Transfer-Encoding: chunked header? [1] Barneygale 09:08, 22 November 2011 (MST)
Facepalm. Yep. That'll be it. --Huin 12:12, 22 November 2011 (MST)

Signature in textures

The base64 in the "signature" section of "textures" is base64; it's just data signed with Yggdrasil's private key and is verified with a SHA1withRSA public key.

Source: Signature signature = Signature.getInstance("SHA1withRSA"); signature.initVerify(publicKey); signature.update(this.value.getBytes()); return signature.verify(Base64.decodeBase64(this.signature));

Comes from in the Yggdrasil Authlib.

Obtaining Twitch Access Token

You must add 'requestUser':true to the request when your are authenticating an user or refreshing an access token.

Example request and response for requestUser have been added to the Article. The supplied Twitch token is an OAuth token that can be used to directly communicate with the Twitch API. (e.g. So unlike preferredLanguage the twitch_access_token parameter has sensitive information that should not be shared or published in crash logs. I don't know where the the value for preferredLanguage can be set. For my account it is set to de, which makes sense since I'm from Germany. I probably somewhere selected German when registering my Mojang/Minecraft account in March 2016. It looks like older accounts don't have this attribute. I know some people have it set to en and I assume there are many other language codes possible (ISO 639-1). --P schneider (talk) 18:52, 10 August 2016 (UTC)

How to see what the vanila launcher does with the authoritation data

The vanilla launcher also talks using these server, but sometimes its usefull to see how vanila interacts with to debug the process of your own launcher.

The following code looks at the traffic between and the local vanila client (the minecraft.jar downloaded from and prints out the raw http contents inside the https stream.

Use it only for debugging purposes, do NOT include it into malware minecraft launchers:

Using this class I discovered that vanilla uses "requestUser": true to get more information about the user, including the Twitch access token. All information discovered by this can be useful to put into the main page.