# Membership Authentication ## 1.Overview When servicing a Windows app in the EXE format, integration with Purchases on the Web is required.\ Since membership authentication (login) is necessary for Purchases on the Web integration, this specification is provided. * The Payment Server API uses the OAuth Token (hereinafter referred to as User Access Token) issued during membership authentication (login). * OAuth authentication is supported to prevent the need for membership authentication (login) for every payment. ## 2.Precautions A 403 error will occur if you attempt Google OAuth login in an Embedded Browser (WebView) without applying the Google SDK.\ You can prevent the 403 error using the following methods: * Attempt login in a new window instead of an Embedded Browser. * Modify the User-Agent information to make it recognized as a web browser instead of an Embedded Browser. ## 3.Membership Authentication Flow ### 3.1 Conceptual View

### 3.2 Logical API ↔ Physical API Specification Mapping The physical API specifications mapped to the logical APIs listed in the Conceptual View are as follows.

No	Flow	Logical API	Physical API (Integration Specifications)
1	Membership Authentication	Login UI Request	4.2 ONE store Login Authentication Request
2	Membership Authentication	Issuance of ONEstore UserAccessToken	4.3 ONE store User Access Token Issuance Request

## 4. ONE store Membership Authentication ### 4.1 Overview of ONE store Login API The ONE store Login API consists of the following: * ONE store Login Authentication Request API * User Access Token Issuance/Deletion Request API The ONE store Login Authentication Request API is an API that displays the ONE store login screen on the developer's service web.\ When the user successfully completes ONE store membership authentication, the temporary code (code) received from the API is used to call the User Access Token Issuance Request API. The User Access Token obtained through the issuance request API is used to call various Server APIs. The User Access Token has a shorter expiration period compared to the Refresh Token, and when it expires, a new User Access Token must be issued using the Refresh Token. The detailed token issuance rules are specified in "4.1.4 User Access Token and Refresh Token Issuance Criteria." #### **4.1.1** Standard Response Codes


Code	message_ko	message_en	HTTP Status Code	Target API	Remarks
Success	정상처리 되었습니다.	The request has been successfully completed.	200 - Success	4.4 ONE store User Access Token Deletion Request
RequiredValueNotExist	필수값이 존재하지 않습니다. [ field1, field2, ... ]	Request parameters are required. [ field1, field2, ... ]	400 - Bad Request	Common
NoSuchData	조회된 결과값이 존재하지 않습니다.	The requested data could not be found.	404 - Not Found	Single Lookup AP
ResourceNotFound	요청한 자원이 존재하지 않습니다.	The requested resource could not be found.	404 - Not Found	Common	When the requested URL resource does not exist
InternalError	정의되지 않은 오류가 발생하였습니다.	An undefined error has occurred.	500 - Internal Server Error	Common
InvalidRequest	입력값이 유효하지 않습니다. [ field1, field2, ... ]	Request parameters are invalid. [ field1, field2, ... ]	400 - Bad Request	Common
UserAccessTokenExpired	Access 토큰이 만료되었습니다.	User Access Token has expired.	401 - Unauthorized	Common	Code and UserAccessToken Expiration Processing When the expiration period is exceeded When the membership status changes (Dormant/Withdrawn/Merged) When the TStore ID member password is changed When social authentication fails (e.g., changes in social integration information, such as unlinking)
InvalidRefreshToken	잘못된 Refresh Token 입니다.	Invalid refresh token	400 - Bad Request	Common	grant_type: refresh_token case
ExpiredRefreshToken	만료된 Refresh Token 입니다.	Invalid refresh token (expired)	401 - Unauthorized	Common	grant_type: refresh_token case
UnauthorizedAccess	해당 API에 접근권한이 없습니다.	Not authorized to this API.	403 - Fobidden	Common
InvalidUserAccessToken	Access 토큰이 유효하지 않습니다.	User Access Token is invalid.	401 - Unauthorized	Common
InvalidAuthorizationParam	Authorization Param의 값이 유효하지 않습니다.	Authorization param is invalid.	400 - Bad Request	Common	code Invalid code
MethodNotAllowed	지원하지 않는 HTTP Method 입니다.	HTTP method not supported.	405 - Method Not Allowed	Common
InvalidContentType	잘못된 Content Type 입니다.	The request content-type is invalid.	415 - Unsupported Media Type	Common
UserNotExist	회원 정보가 존재하지 않습니다.	User does not exist.	404 - Not Found	Common
InvalidUser	회원 정보가 유효하지 않습니다.	User information is not valid.	409 - Conflict	Common
UnsupportedResponseType		Unsupported response types: [field1]	400 - Bad Request	Common
WrongApproach		The wrong approach.	403 - Forbidden	Common

#### **4.1.2** Standard Error Response In the case of an error response, the predefined code and message from the standard response codes are returned. **Example** |

HTTP/1.1 400 Bad Request
Content-type: application/json;charset=UTF-8
{
"error" : {
"code" : "NoSuchData",
"message" : "The requested data could not be found."
}
}

| | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | #### **4.1.3 client\_id와 client\_secret** The client\_id and client\_secret values can be found in "Developer Center > Application > App Detail > Common Info > Settings for Licensing".
#### **4.1.4** User Access Token and Refresh Token Issuance Criteria The ONE store User Access Token is issued based on the Client ID (Game/App) and the ONE store user’s Membership ID. * grant\_type : authorization\_code * Since this involves explicit user login, a new token is issued even if the existing token is still valid. * user\_access\_token, refresh\_token * If valid (user\_access\_token, refresh\_token) already exist, the existing values are returned. * If no valid (user\_access\_token, refresh\_token) exist, new tokens are issued.
* grant\_type : refresh\_token * refresh\_token * If no valid refresh\_token exists, an error response is returned. * If a valid refresh\_token exists, the expiration period is extended (reset to the default 35 days). * user\_access\_token * If a valid user\_access\_token exists, the existing value is returned. * If no valid user\_access\_token exists, a new one is issued. * When a token is deleted, both refresh\_token and user\_access\_token are deleted together.
### 4.2 ONE store Login Authentication Request **\[ API Spec. ]**


Protocol	HTTPS
Content-Type	application/x-www-form-urlencoded
Method	GET/POST
Response Format	URL Redirect
Path	Production - https://accounts.onestore.net/oauth2.0/authorize Development - https://qa-accounts.onestore.co.net/oauth2.0/authorize
Description	Login Page When Using ONE store OAuth Error Codes Reference: Standard Response Codes

**\[ Request ]** **Parameter**


Parameter Name	Type	Description	Required	Remarks
response_type	String	The internal identifier for the authentication process must be sent as 'code'.	Y	code
client_id	String	OAuth Client Id	Y	Use the Package Name of the Android OS Application.
redirect_uri	String	The value is URL-encoded and sent to the Callback URL registered during registration.	Y	UURL Encoding
state	String	To prevent cross-site request forgery attacks, the URL-encoded value is used as a state token generated by the developer.	Y	URL Encoding Generated and passed by the developer. ONE store returns the received value as is.
scope	String	It serves as an internal identifier to handle the scope of access permissions.	Y	user_payment

**Header**


Parameter Name	Type	Description	Required
x-market-code	String	Market Classification Code MKT_ONE: ONE store (South Korea) MKT_GLB: ONE store (other than South Korea)	Y

Parameter Name

Type

Description

Required

x-market-code

String

Market Classification Code

MKT_ONE: ONE store (South Korea)
MKT_GLB: ONE store (other than South Korea)

**Example** | | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | **\[ Response ]** * When the ONE store Login Authentication Request API is called and the user is not logged in, they will be redirected to the login screen. * After the user completes the login, if agreement to terms and information provision is required, they will be redirected to the corresponding screen. * Once the login and consent process are completed, the code value and state value are sent as URL parameters to the callback URL. * The code value is used for the User Access Token issuance request.\


Element Name	Type	Description	Remarks
code	String	- Authentication code returned upon successful login authentication - Used for User Access Token issuance	length : 50 Consists of uppercase and lowercase English letters and numbers Expiration period: 5 minutes
state	String	State token generated by the developer to prevent cross-site request forgery (CSRF) attacks	URL encoding Returns the exact value passed in the request
error_code	String	Error code returned upon login authentication failure	Error codes reference: Standard Response Codes
error_message	String	Error message returned upon login authentication failure

**Example** |

After completing the authentication process:

If the API request is successful:
If the API request fails:

| | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Error Type Summary


Code	Response Method	Occurrence Conditions	Details (Message and Screen Content)	Additional Explanation
RequiredValueNotExist	PAGE	Missing Required Values - response_type - client_id - state - scope - redirect_uri	Request parameters are required. [ {Missing Parameter} ]
UnsupportedResponseType	REDIRECTION	Parameter Validity - response_type ≠ code	{redirect_uri}?error_code=UnsupportedResponseType&error_message=Unsupported response types: [{response_type}]
InvalidRequest	PAGE	Parameter Validity - Unissued client_id	Request parameters are invalid. [ client_id ]
InvalidRedirect	PAGE	Parameter Validity - Unregistered redirect_uri	Invalid redirect
InvalidScope	REDIRECTION	Parameter Validity - scope ≠ user_payment	{redirect_uri}?error_code=InvalidScope&error_message=Invalid scope	Occurs when an authentication request is made after access
WrongApproach	PAGE	Direct Access to Login URI	The wrong approach.	Direct access to /oauth2.0/login

### 4.3 ONE store User Access Token Issuance Request **\[ API Spec. ]**


Protocol	HTTPS
Content-Type	application/x-www-form-urlencoded
Method	POST
Response Format	application/json
Path	Production - https://accounts.onestore.net/oauth2.0/token Development - https://qa-accounts.onestore.net/oauth2.0/token
Description	ONE store User Access Token Issuance Error Codes Reference: Standard Response Codes

**\[ Request ]** **Parameter**


Parameter Name	Type	Description	Required	Remarks
grant_type	String	Classification value for the access token issuance method	Y	'authorization_code' 'refresh_token' Other issuance methods are currently undecided
client_id	String	OAuth Client Id	Y	Uses the Package Name of the Android OS Application
client_secret	String	OAuth Client Secret	Y	Uses the Client secret value issued by the ONE store Developer Center
code	String	Authentication code (code) received in response after successfully calling the login authentication request API	N	grant_type : Required value for authorization_code
refresh_token	String	Urefresh_token value issued together when obtaining the User Access Token	N	grant_type : Required value for refresh_token
state	String	To prevent cross-site request forgery attacks, the URL-encoded value is used as a state token generated by the developer.	Y	URL encoding Generated and passed by the developer. ONE store returns the received value as is.

**Header**


Parameter Name	Type	Description	Required
x-market-code	String	Market Classification Code MKT_ONE: ONE store (South Korea) MKT_GLB: ONE store (other than South Korea)	Y

Parameter Name

Type

Description

Required

x-market-code

String

Market Classification Code

MKT_ONE: ONE store (South Korea)
MKT_GLB: ONE store (other than South Korea)

**Example** |

POST /oauth2.0/token HTTP/1.1 Host: accounts.onestore.net Content-Type: application/x-www-form-urlencoded x-market-code:MKT\_ONE

grant\_type : In the case of authorization\_code
grant\_type=authorization\_code&
code=EIc5bFrl4RibFls1&
client\_id=client\_id\_example&
client\_secret=hDBmMRhz7eJRsM9Z2q1oFBSe&
state=9kgsGTfH4j7IyAkg

grant\_type : In the case of refresh\_token
grant\_type=refresh\_token&
refresh\_token=EIc5bFrl4RibFls1&
client\_id=client\_id\_example&
client\_secret=hDBmMRhz7eJRsM9Z2q1oFBSe&
state=9kgsGTfH4j7IyAkg

| | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | **\[ Response ]**


Element Name	Type	Description	Remarks
user_access_token	String	ONE store Access Token (User Access Token)	max length : 255 만료기한 10분
refresh_token	String	Refresh Token for the User Access Token	max length : 255 기본 만료기한 35일, 사용 시 만료기한 연장(초기화)
token_type	String	Bearer
expires_in	integer	Expiration time of the Access Token (in seconds)
state	String	State token generated by the developer to prevent cross-site request forgery attacks	URL Encoding Returns the exact value passed in the request Included only on success
error {	Object	Included only when an error occurs	Error Codes Reference: Standard Response Codes
code	String	Error Code
message	String	Error Message
}

**Example**


// On Success { `"user_access_token" : "f27d2c49-231d-4848-9e8c-ec9a1fef9c35", "refresh_token" : "1fe54c5f-60d1-4fbb-a412-929c84adab43", "token_type" : "Bearer", "expires_in" : 603389, "state" : "hLiDdL2uhPtsftcU" }` // On Failure `{` `"error" : {` `"code" : "InvalidAuthorizationParam",` `"message" : "Authorization param is invalid."` `}` `}`

// On Success

{

  "user_access_token" : "f27d2c49-231d-4848-9e8c-ec9a1fef9c35",
  "refresh_token" : "1fe54c5f-60d1-4fbb-a412-929c84adab43",
  "token_type" : "Bearer",
  "expires_in" : 603389,
  "state" : "hLiDdL2uhPtsftcU"
}

// On Failure

{
"error" : {
"code" : "InvalidAuthorizationParam",
"message" : "Authorization param is invalid."
}
}

Error Type Summary


Code	Occurrence Conditions	Details (JSON)	Additional Explanation
RequiredValueNotExist	Missing Required Values - grant_type - client_id - client_secret - code (Optional Required Values) - refresh_token (Optional Required Values) - state	{ "error": { "code": "RequiredValueNotExist", "message": "Request parameters are required. ({Missing Parameter})" } }	- code: Required value when grant_type is authorization_code - refresh_token: Required value when grant_type is refresh_token
InvalidRequest	Parameter Validity - grant_type ≠ (authorization_code or refresh_token)	{ "error": { "code": "InvalidRequest", "message": "Request parameters are invalid. [ grant_type ]" } }
InvalidAuthorizationParam	Parameter Validity - Unissued code	{ "error": { "code": "InvalidAuthorizationParam", "message": "Authorization param is invalid." } }
InvalidRequest	Parameter Validity - Unissued client_id	{ "error": { "code": "InvalidRequest", "message": "Request parameters are invalid. [ client_id or client_secret ]" } }
InvalidRequest	Parameter Validity - Unissued client_secret	{ "error": { "code": "InvalidRequest", "message": "Request parameters are invalid. [ client_id or client_secret ]" } }
InvalidRefreshToken	Parameter Validity - Unissued refresh_token	{ "error": { "code": "InvalidRefreshToken", "message": "Invalid refresh token" } }	grant_type : In the case of refresh_token
ExpiredRefreshToken	Parameter Validity - Expired refresh_token	{ "error": { "code": "ExpiredRefreshToken", "message": "Invalid refresh token (expired)" } }	grant_type : In the case of refresh_token

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://onestore-dev.gitbook.io/dev/eng/tools/billing/v21/web-payment/member.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.