StormDev Logins is a REST API on stormdev.org which allows your site/game/application to allow users to login using their StormDev account. There is full documentation available for the whole API and a java implementation available for people making android apps, JSP websites, desktop applications and more.
- Allow your user's to login to your site/game/application using their StormDev account!
- View a user's name, nickname and even their profile picture!
- On websites you have the choice to either use the API to allow the user to login using your own login form, or get forwarded to StormDev.org, login, and get forwarded back to you!
Full documentation of the API is available, you can view the documentation for the REST API here
and the documentation (javadoc) for the Java Implementation is included in the download
Using the API
Login a user
There are two ways of doing it:
Forward the user to StormDev.org, have them login and then get forwarded back to you
This can be done in a handful of easy steps:
- Redirect the user to
http://stormdev.org/login.jsp?callback=<URL Encoded URL of your page handling logins>
- The user logins in and is sent back to the page specified in the previous step.
- The page the user is sent to has the URL Parameters 'email' and 'code', use these to make a POST request to and then checking the response to see if it was successful and if so, retrieve the account information and session id. For more information read the javadocs included in the download.
http://stormdev.org/auth/loginInfo with the email and code in JSON format to retrieve the account details and session id of the logged-in user. (For more information see the API Docs) Alternatively, if you are using Java or JSP (Java Server Pages) then you can use the java implementation of the REST API to retrieve the account and session information using
LoginInfoResponse response = StormAuthLib.getLoginInfo(email, code);
Let users login to StormDev.org using your own login form
It is recommended to forward your users to StormDev.org to login as it's more secure and easier to use and implement. However if you do want them to login on your site, then maybe consider adding a link for the user to have the option to login via StormDev.org using the above method. If you still want to use your own login form, then that can be done in a handful of easy steps:
- The user fills out their email and password into your form
- The form is submitted to your page
- You send a POST request to
http://stormdev.org/auth/login with the email and password in the message body in JSON format and parse the response for the account details, session id, etc... (For more information see the API Docs). Alternatively if you are using Java or JSP (Java Server Pages) then you can use the java implementation of the REST API to login the user by:
LoginRequestResponse response = StormAuthLib.login(email, password); and then checking if the login was successful, and if so getting the session id, etc... For more information read the javadocs included in the download.
Prevent being logged out for inactivity
If StormDev thinks the account has been inactive for a while (About an hour), then it is automatically logged out and the login session is no longer valid. To stop this, when the user is active, make periodic(About every 10-20 minutes) POST requests to
with the account email and session id in the request body in a JSON format. The server will return either true or false, true meaning that StormDev now knows that the account isn't inactive and false meaning that either the sessionID is wrong or the account has logged out. You can determine the exact reason why by checking the HTTP Status code. For more information see the API Docs
Validate the login session (Check that the user hasn't logged out)
It is a good idea to periodically check that the user's session is still valid because it can be invalidated by many things: The user logging out, the user being considered 'inactive', etc... Fortunately this is simple to do; make a POST request to
with the account email and session id in the request body in a JSON format. If the response from the server is 'true', then it's valid and if it's 'false' then it's invalid because either they're not logged in or the session id is wrong. You can determine the exact reason why by checking the HTTP Status code. For more information see the API Docs
Logout a user
When the user is done, you probably don't need them to logout of StormDev, but if you do this is done by making a POST request to
with the account email and either session id or password in the request body in a JSON format. The server will then return 'true' if they were successfully logged out, or 'false' if they weren't or were already logged out. If it returns 'false' you can determine the exact reason why by checking the HTTP Status code. For more information see the API Docs
Prove that a client is logged into a valid StormDev login session to another client or a server
If you intend to use StormDev accounts in a multiplayer game or other application where it is necessary to prove to another that you are logged in to a valid StormDev account, without simply sending the session id (As this can be used to log out, etc...) then the /auth/clientDualAuth and /auth/serverDualAuth (And java implementation equivalents) are going to be useful to you. How to use them:
- The client makes a POST request to
http://stormdev.org/auth/clientDualAuth with the account email and session id in JSON format. (For more information see the API Docs)
- Next the server will send a response in JSON format, which if the user is correctly logged in, contains a randomly generated AuthKey which expires within a minute. (If they aren't logged-in correctly then check the API Docs for what the possible responses will be)
- The client tells the other client/server the AuthKey and their email.
- The other client/server makes a POST request to
http://stormdev.org/auth/serverDualAuth and if the response says that everything worked out ok, the other client/server can be sure that the user is indeed logged into a valid StormDev account. The response also contains the account and session information, except the session id.