Sign-up and Login - A Recommended Workflow


Creating an account (“Sign-up”) or connecting with an existing account (“Login”) has always been an obstacle for users, whatever the service or app they use.

Users forget their password. Worse, users forget that they signed up and create multiple accounts - and then ask why they don’t have the features that they purchased.

Users have multiple e-mail addresses, and use them at random - or forget them or misspell them. Or forget which e-mail was used to create their account. Or lose access to their e-mail box. So using an e-mail as an identifier (like what Google or Apple do) is doomed too.

Lots of users think that it’s magic and that servers have some extra-sensorial powers to identify them. If only it could be true. At the end of the day, it looks boring, complicated and messy and users give up.

Because we care a lot about the user experience, we want to avoid sign-up and login be perceived as an obstacle on the user’s path to online gaming Nirvana. Over the past years, we have developed a workflow that works rather well. It tries to put as little burden as possible on the user, and be very straightforward and self-explanatory. The flip side of the coin is that the burden is put on the developer. Fortunately, the REST API has all the end-points to do this easily.

When doing it?

As explained in the Integration Introduction guide, apps should not force the player to sign-up, but it should attract her to do so by explaining the additional services and benefits it brings. Typical examples are accessing the Online Multiplayer gaming area, saving her Achievements in the Cloud, participating to worldwide leaderboards, etc.

Simple Flow

The following workflow illustrates a first good way to do it. It may seems complicated at first, but it does many things already, because it tries to guess if an account already exists and gives the opportunity to the user to retrieve his password. All this using only four API end-points.

Simple SSO flow

You will need the following end-points:

  • Testing if an account already exists using a Login Name or E-mail, or if an e-mail is available: use the User Search end-point, with the login=:login_name or email=:email query string.
  • Login: use the Request an OAuth2 token with a Login Name end-point. You will get an Access Token with a private Scope. Use this token going forward. Keep in mind that OAuth2 is stateless, so there is no real concept of session. If you want to log out, simply throw away the token.
  • Creating an Account: use the Sign-up end-point.
  • Reset Password: use the Reset Password end-point.

Restrict access to particular feature

The following workflow illustrates how to handle an account which has not been validated before accessing a restricted feature (eg online games). The user is logged in but has not validated his account yet. It gives hint to the user on how to check for the reception of the validation email and allows him to change the email if there is a mistake on it. To do this, use the email and newsletter end-point.

Restricted feature access

It is important to drive the users into their account validation as their account will expired within 7 days if they don’t validate it.

Steam Flow

Steam is a special case because we can delegate the user’s authentication to Steam. is capable of doing a server-to-server query to check if a Steam session is valid, and automatically log in the user without asking for her password. This is convenient for the user. She is already connected to Steam when starting any Steam game, so this way she is connected to her account completely seamlessly without compromising security.

Steam SSO flow

1) Trying to login with the Steam Session Ticket:

The app should start by checking the Steam Session Ticket that the Steam lib returns. This is accomplished by calling the /oauth/token end-point with the following parameters:

  • grant_type = steam_partner
  • app_id = the Steam App ID used on the Steam Store
  • session_ticket = the Steam Session Ticket given by the Steam lib
  • steam_api_key = the Steam Publisher Key given by the Steamworks backend

Note that this call can be slow because it involves a server-to-server connection between the servers and the Valve servers. So we advise that you perform this first step early on (for example when starting the app) and asynchronously. Be prepared to deal with an offline situation if the session_ticket is deemed as invalid - which should be very unlikely, but can still happen.

If the Steam Session is valid, you will get an Access Token from the API. There can be two situations: an account was found or not.

  • If a user was found, the Access Token will have a private scope. You can retrieve the user ID from the sub field of the Access Token, and you are a happy authenticated camper.
  • If a user was not found, the Access Token will have a public scope. This already allows you to perform calls to many API end-points. But if you need a User at some point, you will have to find or create an account.

2) Finding or creating the user’s account:

The workflow is identical to the simplified workflow described above: you ask the user if she already has an account, etc.

There are two minor additions, related to the notion of “linking”, which means linking the user account to the Partner’s (Steam) identifier.

  • If you have to create an account, add the following parameters to your call to the Sign-up end-point:
    • partner = 12 (this is Steam’s Partner ID)
    • partner_user = the User’s Steam ID given by the Steam lib
  • If you found the account thanks to the user’s indications and that she logged in successfully, you still have to link her account to Steam. This is accomplished by using the Link/Unlink end-point.

Properly linking the user’s account to the Steam User ID will allow transparent login next time the user starts the app.

Learn more about Partners account linking at the Request an OAuth2 token with a Partner User end-point.

Some more questions about Steam linking:

Q: What happens if I have a Steam account that is already linked to an account, and that I am trying to link it to another account?

A: You will get the API012 error message from the API. But normally, this won’t happen if you follow the Steam Flow described above, because you will get the correct account directly, and so won’t find yourself trying to link the Steam account to something else. Of course, this should not be an excuse for ignoring error messages, right? ;-)

Q: What should happen when logging out from an account in the game and logging into another account? Should the Steam link be transferred to the new account?

A: This is a rare corner case, but it needs proper handling nevertheless. Our recommendation is to leave the link untouched - Don’t transfer it. The rational is that if someone needs to log out and use another account, then he’s probably not the “natural” owner of the Steam account. For example, a child or spouse using the PC to play online with his/her own account temporarily. By leaving the link to the original, the autologin will work naturally back to the original account upon the next launch of the app. This is what you want. People who really need to change a link permanently will contact our technical support.

Q: Similarly, what will/should happen if I try to connect multiple Steam accounts with one account? How this should be handled and how the system will behave in such situations?

A: The platform allows an account to be linked to several Partner accounts. It won’t complain. So there could be several Steam accounts linked to the same account. Whether the players uses one or the other Steam account, it will be logged into his account. It could seem confusing when you think of it, but frankly, this has never been a cause for concern. This is an extremely rare case - actually, it happens more to us when we test because we have a bad habit of always using the same test accounts ;-) But normal people don’t use multiple Steam accounts. So don’t worry about it.

The Login Settings Panels in the Settings Screen

Unfortunately, all these efforts won’t be enough. It is also a good idea to provide additional tools in the game user interface to help users deal with their accounts. Therefore each game should provide a “Login Settings” button (located in a Settings screen or an Account screen) that opens a dialog showing:

  • The current Login Name, user ID and e-mail.
  • An “Edit my Profile” link that takes the user to the Web site at
  • A “Get my Password” link. This triggers the “I forgot my password” procedure using the Reset Password API. One more chance for the user to retrieve her password. Important: read the note below about the case where the account does not contain a valid e-mail.
  • A “Support” link that takes the user directly to the right page (app+platform) in the account Technical Support area of the app.
  • A Logout button. This allows the user to switch to another account.
  • Partners’ icons, with the linked reference (if connected to it) or a “Login” link to connect with the Partner. In the following screenshot from Small World 2, we can see that we are connected and linked to Game Center, but we are not connected with Facebook:

Login Settings

Such a panel will help the user manage her account. As importantly, it will also help for Technical Support: often, getting a screenshot of this screen provides more information than any text description from the user.

Note: the user’s account might contain a non-valid e-mail

It may happen that the user’s account does not contain a valid e-mail. This occurs when the account was created completely automatically using Steam or Facebook or Game Center on the Days of Wonder Web site or from one of our old apps. In this case, the Reset Password procedure cannot work, since the server does not have any proper address to send the reset e-mail to.

Therefore the panel should get info about the user account (using the User: details end-point) and check the email_valid field. If it is false, rename the “Get my Password” link or button into “Update my e-mail”. When the user clicks on it, open a dialog box to have her type her e-mail address (don’t forget to ask her if she wants to subscribe to the Newsletter too) and use the User: email and newsletter end-point to update the user’s account with the new e-mail.

Once her e-mail is updated, she will be able to use the “Send my Password” feature since we’ll now have a nice and clean address in her account.