Get NexusPlay

Authentication

Unified Gaming. Optimized Performance.

OAuth 2.0 Integration

External Store Linking

NexusPlay uses industry-standard OAuth 2.0 authorization code flow with PKCE to securely connect your Steam, Epic Games, and GOG libraries without storing your store credentials.

When you initiate a linking sequence, our servers generate a unique, single-use verifier and redirect you to the official provider login page. Upon approval, the provider returns an authorization code that we exchange for a scoped access token. Supported scopes include library:read, achievements:read, and friends:read. The entire handshake completes in under 1.2 seconds, and all cryptographic exchanges are protected by TLS 1.3.

Steam Integration

Direct API bridge to Valve's OAuth endpoint. Supports offline access for library sync and real-time achievement tracking.

Epic Games Store

Secure token mapping via Epic's identity service. Enables seamless launch routing and entitlement verification.

GOG Galaxy

DRM-free catalog synchronization using read-only scopes. Preserves local installation paths without cloud dependency.

Token Lifecycle Management

Session & Refresh Tokens

NexusPlay maintains persistent launcher sessions through a dual-token architecture designed for low-latency authentication and automatic credential rotation.

Access tokens are issued with a 15-minute TTL and are automatically refreshed via long-lived refresh tokens that expire after 90 days of inactivity. All tokens are scoped to your specific hardware fingerprint and IP subnet to prevent session hijacking. Failed authentication attempts trigger a progressive cooldown, and compromised tokens are instantly invalidated across all active endpoints. Token payloads are signed using RS256 and verified against our public JWK set hosted at auth.nexusplay.io/.well-known/jwks.json.

Auto-Refresh Logic

Background daemon checks token expiry at T-120 seconds. Silent renewal ensures zero interrupt during gameplay or background updates.

Revocation Controls

Instantly terminate active sessions from any device. Granular revocation supports per-store or global token invalidation.

Audit Logging

Every token issuance, refresh, and revocation is timestamped and stored in our immutable audit trail for 365 days.