GAGA SSO Mobile SDK — Developer Guide
Interactive reference for the engineer building the SDK · คู่มือเชิงโต้ตอบสำหรับนักพัฒนา SDK · open in any browser
Overview / ภาพรวม
The SDK is the only component the game calls. It owns the tokens, renders the auth/account UI, signs requests, and talks to the GAGA backend over HTTPS. The Gamebryo C++ engine reaches it through a thin C++ bridge.
One Unified GAGA ID per player. The same account & tokens work across Game Client, Website and Web Shop (true SSO). Desktop SDK is out of SOW, but auth is plain REST so a PC client can reuse the C++ bridge + web login later — platform accepts android | ios | pc | web.
Login methods / วิธีล็อกอินและ UI
The most important thing to get right: each method shows a different kind of UI. Guest and social are native; GAGA ID (email) is a web-hosted page in the system browser — never a native form or embedded WebView.
Web-login flow / OAuth2 + PKCE
How the GAGA ID button works end to end. Step through it — the SDK opens the system browser, gets a one-time code on a deep link, and exchanges it with PKCE for tokens.
Two values the SDK generates fresh for every login — they prove the app that started the flow is the same one finishing it. This is what protects a public client (a mobile app can't safely hold a client secret).
code_verifier = a high-entropy random string that never leaves the device. code_challenge = its SHA-256 hash, safe to send out because a hash can't be reversed.
code_verifier = base64url( random(32 bytes) ) // 43 chars, no padding code_challenge = base64url( SHA256(code_verifier) ) // code_challenge_method = "S256"
Where each value goes in the flow
Step 2 GET /login?...&code_challenge=<challenge>&code_challenge_method=S256 ← challenge only
Step 6 POST /auth/token { code, code_verifier } ← verifier
backend recomputes SHA256(verifier), compares to the stored challenge
Why it matters on mobile: the callback returns on a deep link (gagasdk://auth/callback?code=…) that a malicious app could intercept. Without PKCE, a stolen code could be exchanged for tokens. With PKCE it can't — the attacker has no code_verifier and the hash can't be reversed, so the stolen code is worthless.
Show generate code (Kotlin / Swift)
Android · Kotlin
val verifier = Base64.encodeToString(ByteArray(32).also { SecureRandom().nextBytes(it) },
Base64.URL_SAFE or Base64.NO_PADDING or Base64.NO_WRAP)
val challenge = Base64.encodeToString(
MessageDigest.getInstance("SHA-256").digest(verifier.toByteArray()),
Base64.URL_SAFE or Base64.NO_PADDING or Base64.NO_WRAP)
iOS · Swift (CryptoKit)
var b = [UInt8](repeating: 0, count: 32); _ = SecRandomCopyBytes(kSecRandomDefault, 32, &b) let verifier = Data(b).base64URLEncodedString() let challenge = Data(SHA256.hash(data: Data(verifier.utf8))).base64URLEncodedString()
Do: use S256 (never plain) · a new pair per login · keep the verifier in memory only · also send a random state for CSRF. Don't: log, persist, or reuse the verifier.
Binding & conflict / ผูกบัญชี guest → social
Converting a guest into a permanent account. The key branch: if the target social account already owns a character, the backend returns 409 BIND_CONFLICT and the SDK must show a resolution dialog — never overwrite silently.
Rule: a guest must bind before any Web Shop purchase
Tokens & sessions / โมเดล Token
Setup checklist / เช็กลิสต์การตั้งค่า
Tap to tick — your progress is saved in this browser. The native plumbing the SDK depends on.
API & SDK reference / อ้างอิง API และเมธอด
| Endpoint | SDK method | Purpose |
|---|
Draft for technical alignment between PRANEAT (platform) and X-Legend (game). Endpoint paths, payloads and method names are proposals to finalize in the OpenAPI spec. Companion documents: SDK Integration Spec and Platform Technical Build Spec. v1.0 · 16 Jun 2026 · Confidential.