IGDB, authentication and tokens, need server app?

Hello all,

First of all, sorry for my english, I’m french but I’ll do my best to be understandable.

I’m currently working on a mobile application which plan to use, among others, the IGDB API to search games, display details, make personnal lists, etc.

I was happy to see that the v4 update will remove the request limitation to 50K, which were a blocker for me (assuming a significant number of users in the future).

But this new update come with the migration to the Twitch authentication system, using oauth.

I’m not really familiar or experimented in this kind of authentication system (nor a lot experimented in web-related development to be honest) but this is what I think I understood reading the Twitch and IGDB doc :

  1. Using IGDB API requires an “App access token”, which can be got using the “Client credential flow”
  2. The App access token should be unique for the app and it should be used for requests sent by all the mobile app users. This token is limited in time and should be replaced by a new one at some point.
  3. The rate limit of 4 requests/second is related to the client ID and not to each user

–> In conclusion, even if I just want to make a small mobile application, reading datas from IGDB, it seems that I need a server application which handle the “App access token” refreshment and even, to handle the rate limit, which acts like a proxy to make all the users requests.

Am I right ?

It just seems a little bit oversized for a small mobile app, so I’m not sure I understand everything. For example, I use TMDB API for movies and it just works with a simple token authentication, without rate limit, and doesn’t need all this architecture.

Thank you in advance for answers !

TLDR: Yes

Longer answer: You need a Proxy server because you need to generate an App Access Token.
IGDB only accepts app access tokens, and the only way to generate one is using your Client Secret.

So the client secret cannot go in the Mobile app as that as violates the developer agreement
The app access token cannot go in the Mobile app as that as violates the developer agreement

Both of these are essentially passwords and should be treated as such.

A Proxy server is a good idea, as your Proxy would also cache data from IGDB, so if someone looks up details about the game Halo: Infinite and then a second person does, you can load from you cache instead of calling the API which makes you respond to the user more quickly. Which is even better for mobile users as user won’t have to wait as long

Different API’s have different rules.

Thanks @BarryCarlyon for your help, seems clear now !

Can I ask if you eventually know any tutorial/reading/article/whatever as a good start to setup a proxy server to handle API requests ? As I said, I’m new to this field and need to start from beginning :slight_smile:

Not that I know of, as I just know how to build such a thing.

  • The mobile app will call your API
  • Your API then calls IGDB’s API

Easiest method is you swap https://api.igdb.com for your API URL instead, then just full read the URL and make a request to IGDB and return the respond down the line.

Throw a caching layer in to decide if you need/want to return the cache instead of making the IGDB call

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.