Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This section lists the claims that an encrypted token can include for your relying party. The claims included in the token are determined when you first configure your relying party.
Claims not part of an identity
These claims don't belong to a device, title, or user identity.
Audience
| Description | The audience the JWT is intended for. For XSTS tokens, configure Partner Center with your relying party name (audience URI). |
|---|---|
| Name (short) | aud |
| Type | String |
Issuer
| Description | The principal that issued the JWT. It should always be xsts.auth.xboxlive.com. |
|---|---|
| Name (short) | iss |
| Type | String |
Token issue date/time
| Description | The time (UTC) at which the token becomes valid and shouldn't be used before then. Value is the number of seconds since epoch (1-1-1970). |
|---|---|
| Name (short) | nbf |
| Type | IntDate |
Token expiration date/time
| Description | The expiration time (UTC) of the token. Value is the number of seconds since epoch (1-1-1970). |
|---|---|
| Name (short) | exp |
| Type | IntDate |
Sandbox ID
| Description | Identifies the sandbox in which the title is being executed. |
|---|---|
| Name (MXA) | AuthClaimTypes.SandboxId |
| Name (short) | sbx |
| Symbol | https://schemas.microsoft.com/xbox/2013/05/claims/sandbox/id |
| Type | String |
Proof key
| Description | A public key generated by the caller and passed in the initial request for a token. Requests are signed using the associated private key, and the receiving service must verify the signature using the JWK in the token. |
|---|---|
| Name (MXA) | AuthClaimTypes.ProofKey |
| Name (short) | cnf |
| Symbol | https://schemas.microsoft.com/xbox/2013/03/claims/proofkey |
| Type | JSON object |
Device identity claims
The following claims can be part of the device identity (xdi) section of the token.
Device pairwise ID
| Description | An anonymized identifier from Microsoft account (MSA) that represents the device. This value is unique to each partner. |
|---|---|
| Name (MXA) | AuthClaimTypes.DevicePairwiseId |
| Name (short) | dpi |
| Symbol | https://schemas.microsoft.com/xbox/2013/03/claims/device/pwid |
| Type | String |
Device type
| Description | The type of device making the call. |
|---|---|
| Name (MXA) | AuthClaimTypes.DeviceType |
| Name (short) | dty |
| Symbol | https://schemas.microsoft.com/xbox/2011/07/claims/device/type |
| Type | String |
Device types
| Value | Description |
|---|---|
| Scarlett | GDK-based game running on an Xbox Series X|S console |
| XboxOne | XDK-based game running on a console from either the Xbox One or Xbox Series family. |
| WindowsOneCore | GDK-based game running on a PC that was packaged with IXVC |
| Win32 | Win32-based Xbox Live enabled game running on a PC and not packaged with IXVC |
| iOS | Xbox Live-enabled game running on iOS |
| Android | Xbox Live-enabled game running on Android |
Device version
| Description | The device version. |
|---|---|
| Name (MXA) | AuthClaimTypes.DeviceVersion |
| Name (short) | dvr |
| Symbol | https://schemas.microsoft.com/xbox/2012/11/claims/device/version |
| Type | String |
Device capabilities
| Description | The device capabilities. |
|---|---|
| Name (MXA) | AuthClaimTypes.DeviceCapabilities |
| Name (short) | dca |
| Symbol | https://schemas.microsoft.com/xbox/2012/11/claims/device/capabilities |
| Type | Integer array |
| Possible values | See the following table for descriptions of the possible device capability values. |
| Device capability value | Description |
|---|---|
| No value | Indicates the device is Xbox hardware that doesn't have an Optical Disk Drive (ODD). |
1 |
Indicates the device is Xbox hardware that has an OOD. |
2 |
Indicates the device is an Xbox Game Streaming server. |
1 2 or 2 1 |
Indicates the device is an Xbox Game Streaming server with an ODD. |
Device debug
| Description | The device debug mode (Retail, SRA, ERA). |
|---|---|
| Name (MXA) | AuthClaimTypes.DeviceDebug |
| Name (short) | ddm |
| Symbol | https://schemas.microsoft.com/xbox/2012/11/claims/device/debug |
| Type | String |
Title identity claims
The following claims can be part of the title identity (xti) section of the token.
Title ID
| Description | The title ID. |
|---|---|
| Name (MXA) | AuthClaimTypes.TitleId |
| Name (short) | tid |
| Symbol | https://schemas.microsoft.com/xbox/2011/07/claims/title/id |
| Type | Integer |
Title version
| Description | The title version. |
|---|---|
| Name (MXA) | AuthClaimTypes.TitleVersion |
| Name (short) | tvr |
| Symbol | https://schemas.microsoft.com/xbox/2011/07/claims/title/version |
| Type | String (System.Version): All other platforms (including Xbox One) String (decimal integer): legacy platforms (Xbox 360, GFWL, Windows Phone 7 & 8, Windows 8) |
User identity claims
The following claims can be part of the user identity (xui) section of the token.
User hash
| Description | A dynamically generated string that identifies a particular user identity within an XBL3.0 token. When a request applies to a specific user in the token, the client includes the appropriate user hash in the authorization header. |
|---|---|
| Name (MXA) | AuthClaimTypes.UserHash |
| Name (short) | uhs |
| Symbol | https://schemas.microsoft.com/xbox/2013/03/claims/user/hash |
| Type | String |
Partner XUID
| Description | An anonymized identifier that represents the user. This value is unique to each publisher / partner and is the recommended identifier to use when linking against a partner's internal identifier for single sign-on scenarios. Only available in XBL 3.0 tokens. |
|---|---|
| Name(short) | ptx |
| Symbol | https://schemas.microsoft.com/xbox/2013/03/claims/user/pxuid |
| Type | string |
User pairwise ID
| Description | An anonymized identifier from the Microsoft account (MSA) that represents the user. This value is unique to each publisher / partner. Titles should use the Partner XUID (PXUID) and not the PWID for unique identification of the user in databases. Only available in XBL 3.0 tokens. |
|---|---|
| Name (MXA) | AuthClaimTypes.UserPairwiseId |
| Name (short) | upi |
| Symbol | https://schemas.microsoft.com/xbox/2013/03/claims/user/pwid |
| Type | String |
Guest
| Description | If present, the user is a guest and the claim value is the index associated with this guest. |
|---|---|
| Name (MXA) | AuthClaimTypes.UserGuest |
| Name (short) | ugs |
| Symbol | https://schemas.microsoft.com/xbox/2013/06/claims/user/guest |
| Type | String |
Test
| Description | Indicates whether the user is a test user. |
|---|---|
| Name (MXA) | AuthClaimTypes.UserTest |
| Name (short) | uts |
| Symbol | https://schemas.microsoft.com/xbox/2013/04/claims/user/test |
| Type | String |
Family ID
| Description | Identifies the user's family. |
|---|---|
| Name (MXA) | AuthClaimTypes.UserFamilyId |
| Name (short) | ufi |
| Symbol | https://schemas.microsoft.com/xbox/2013/07/claims/user/familyid |
| Type | String |
Modern gamertag
| Description | The modern gamertag of the user. |
|---|---|
| Name (MXA) | AuthClaimTypes.ModernGamertag |
| Name (short) | mgt |
| Symbol | https://schemas.microsoft.com/xbox/2019/05/claims/user/moderngamertag |
| Type | String |
Modern gamertag suffix
| Description | The suffix for the modern gamertag of the user. |
|---|---|
| Name (MXA) | AuthClaimTypes.ModernGamertagSuffix |
| Name (short) | mgs |
| Symbol | https://schemas.microsoft.com/xbox/2019/05/claims/user/moderngamertagsuffix |
| Type | String |
Gamertag
| Description | The gamertag of the user. |
|---|---|
| Name (MXA) | AuthClaimTypes.Gamertag |
| Name (short) | gtg |
| Symbol | https://schemas.microsoft.com/xbox/2011/07/claims/user/gamertag |
| Type | String |
Age group
| Description | The user's age group. |
|---|---|
| Name (MXA) | AuthClaimTypes.AgeGroup |
| Name (short) | agg |
| Symbol | https://schemas.microsoft.com/xbox/2011/07/claims/user/agegroup |
| Type | String |
| Possible values | Child, Teen, Adult |
Country/region
| Description | The country/region ID where the token came from (Physical IP address of the console). It doesn't represent the user's MSA country/region. It should be used to determine which country/region the console is coming from. Because users can set their consoles to any country/region/language in the system settings, you can't trust what the console itself says to determine any regional law compliance. |
|---|---|
| Name (MXA) | AuthClaimTypes.Country |
| Name (short) | ctr |
| Symbol | https://schemas.microsoft.com/xbox/2011/07/claims/user/country |
| Type | Integer |
| Possible values | See Claim values for country/region claim |
DelegationToken
| Description | An encrypted string representing the user and title ID. This token allows a third-party service to obtain a Delegated Auth XSTS token in order to call Xbox services on behalf of a user. |
|---|---|
| Name (MXA) | AuthClaimTypes.DelegationToken |
| Name (short) | dlt |
| Symbol | https://schemas.microsoft.com/xbox/2011/07/claims/delegationtoken |
| Type | String |
Privileges
| Description | The privileges granted to the user. |
|---|---|
| Name (MXA) | AuthClaimTypes.Privileges |
| Name (short) | prv |
| Symbol | https://schemas.microsoft.com/xbox/2011/07/claims/user/privileges |
| Type | Integer array |
| Possible values | See Claim values for privileges |
Service identity claims
The following claims can be part of the service identity (xsi) section of the token.
Service ID
| Description | The service instance ID. |
|---|---|
| Name (MXA) | AuthClaimTypes.ServiceId |
| Name (short) | sid |
| Symbol | https://schemas.microsoft.com/xbox/2013/05/claims/service/id |
| Type | String |
Service type
| Description | The type of the service. |
|---|---|
| Name (MXA) | AuthClaimTypes.ServiceType |
| Name (short) | sty |
| Symbol | https://schemas.microsoft.com/xbox/2013/03/claims/service/type |
| Type | String |
Service cluster
| Description | The cluster where the service is deployed. |
|---|---|
| Name (MXA) | AuthClaimTypes.ServiceCluster |
| Name (short) | scl |
| Symbol | https://schemas.microsoft.com/xbox/2013/06/claims/service/cluster |
| Type | String |
Service instance
| Description | The instance name of the service. |
|---|---|
| Name (MXA) | AuthClaimTypes.ServiceInstance |
| Name (short) | sin |
| Symbol | https://schemas.microsoft.com/xbox/2013/05/claims/service/instance |
| Type | String |
Aggregate identity claims
The following claims may be part of the aggregate identity (xai) section of the token.
Age group
| Description | The lowest age group of all of the users in the token. |
|---|---|
| Name (MXA) | AuthClaimTypes.AgeGroup |
| Name (short) | agg |
| Symbol | https://schemas.microsoft.com/xbox/2011/07/claims/user/agegroup |
| Type | String |
| Possible values | Child, Teen, Adult |
Privileges
| Description | The union of privileges across all users in the token. Note: if any user is banned from receiving a particular privilege, the claim omits that privilege even if other users have it. |
|---|---|
| Name (MXA) | AuthClaimTypes.Privileges |
| Name (short) | prv |
| Symbol | https://schemas.microsoft.com/xbox/2011/07/claims/user/privileges |
| Type | Integer array |
| Possible values | See Claim values for privileges |
Claim values for country/region claim
The following table describes the mapping for the country/region claim value.
| Claim | Country/Region |
|---|---|
| 0 | UNKNOWN |
| 1 | UNITED ARAB EMIRATES |
| 2 | ALBANIA |
| 3 | ARMENIA |
| 4 | ARGENTINA |
| 5 | AUSTRIA |
| 6 | AUSTRALIA |
| 7 | AZERBAIJAN |
| 8 | BELGIUM |
| 9 | BULGARIA |
| 10 | BAHRAIN |
| 11 | BRUNEI DARUSSALAM |
| 12 | BOLIVIA |
| 13 | BRAZIL |
| 14 | BELARUS |
| 15 | BELIZE |
| 16 | CANADA |
| 18 | SWITZERLAND |
| 19 | CHILE |
| 20 | CHINA |
| 21 | COLOMBIA |
| 22 | COSTA RICA |
| 23 | CZECH REPUBLIC |
| 24 | GERMANY |
| 25 | DENMARK |
| 26 | DOMINICAN REPUBLIC |
| 27 | ALGERIA |
| 28 | ECUADOR |
| 29 | ESTONIA |
| 30 | EGYPT |
| 31 | SPAIN |
| 32 | FINLAND |
| 33 | FAROE ISLANDS |
| 34 | FRANCE |
| 35 | UNITED KINGDOM |
| 36 | GEORGIA |
| 37 | GREECE |
| 38 | GUATEMALA |
| 39 | HONG KONG SAR |
| 40 | HONDURAS |
| 41 | CROATIA |
| 42 | HUNGARY |
| 43 | INDONESIA |
| 44 | IRELAND |
| 45 | ISRAEL |
| 46 | INDIA |
| 47 | IRAQ |
| 48 | IRAN, ISLAMIC REPUBLIC OF |
| 49 | ICELAND |
| 50 | ITALY |
| 51 | JAMAICA |
| 52 | JORDAN |
| 53 | JAPAN |
| 54 | KENYA |
| 55 | KYRGYZSTAN |
| 56 | KOREA, REPUBLIC OF |
| 57 | KUWAIT |
| 58 | KAZAKHSTAN |
| 59 | LEBANON |
| 60 | LIECHTENSTEIN |
| 61 | LITHUANIA |
| 62 | LUXEMBOURG |
| 63 | LATVIA |
| 64 | LIBYA |
| 65 | MOROCCO |
| 66 | MONACO |
| 67 | NORTH MACEDONIA |
| 68 | MONGOLIA |
| 69 | MACAO SAR |
| 70 | MALDIVES |
| 71 | MEXICO |
| 72 | MALAYSIA |
| 73 | NICARAGUA |
| 74 | NETHERLANDS |
| 75 | NORWAY |
| 76 | NEW ZEALAND |
| 77 | OMAN |
| 78 | PANAMA |
| 79 | PERU |
| 80 | PHILIPPINES |
| 81 | PAKISTAN |
| 82 | POLAND |
| 83 | PUERTO RICO |
| 84 | PORTUGAL |
| 85 | PARAGUAY |
| 86 | QATAR |
| 87 | ROMANIA |
| 88 | RUSSIAN FEDERATION |
| 89 | SAUDI ARABIA |
| 90 | SWEDEN |
| 91 | SINGAPORE |
| 92 | SLOVENIA |
| 93 | SLOVAKIA |
| 95 | EL SALVADOR |
| 96 | SYRIAN ARAB REPUBLIC |
| 97 | THAILAND |
| 98 | TUNISIA |
| 99 | TÜRKIYE |
| 100 | TRINIDAD AND TOBAGO |
| 101 | TAIWAN |
| 102 | UKRAINE |
| 103 | UNITED STATES |
| 104 | URUGUAY |
| 105 | UZBEKISTAN |
| 106 | VENEZUELA |
| 107 | VIETNAM |
| 108 | YEMEN |
| 109 | SOUTH AFRICA |
| 110 | ZIMBABWE |
| 111 | AFGHANISTAN |
| 112 | AMERICAN SAMOA |
| 113 | ANDORRA |
| 114 | ANGOLA |
| 115 | ANGUILLA |
| 116 | ANTARCTICA |
| 117 | ANTIGUA AND BARBUDA |
| 118 | ARUBA |
| 119 | BAHAMAS |
| 120 | BANGLADESH |
| 121 | BARBADOS |
| 122 | BENIN |
| 123 | BERMUDA |
| 124 | BHUTAN |
| 125 | BOSNIA AND HERZEGOVINA |
| 126 | BOTSWANA |
| 127 | BURKINA FASO |
| 128 | BURUNDI |
| 129 | CAMBODIA |
| 130 | CAMEROON |
| 131 | CABO VERDE |
| 132 | CAYMAN ISLANDS |
| 133 | CENTRAL AFRICAN REPUBLIC |
| 134 | CHAD |
| 135 | CHRISTMAS ISLAND |
| 136 | COCOS (KEELING) ISLANDS |
| 137 | COMOROS |
| 138 | CONGO |
| 139 | CONGO, THE DEMOCRATIC REPUBLIC OF THE |
| 140 | COOK ISLANDS |
| 141 | COTE D'IVOIRE |
| 142 | CYPRUS |
| 143 | DJIBOUTI |
| 144 | DOMINICA |
| 146 | EQUATORIAL GUINEA |
| 147 | ERITREA |
| 148 | ETHIOPIA |
| 149 | FALKLAND ISLANDS |
| 150 | FIJI |
| 151 | FRENCH GUIANA |
| 152 | FRENCH POLYNESIA |
| 153 | GABON |
| 154 | GAMBIA |
| 155 | GHANA |
| 156 | GIBRALTAR |
| 157 | GREENLAND |
| 158 | GRENADA |
| 159 | GUADELOUPE |
| 160 | GUAM |
| 161 | GUERNSEY |
| 162 | GUINEA |
| 163 | GUINEA-BISSAU |
| 164 | GUYANA |
| 165 | HAITI |
| 166 | JERSEY |
| 167 | KIRIBATI |
| 168 | LAO PEOPLES DEMOCRATIC REPUBLIC |
| 169 | LESOTHO |
| 170 | LIBERIA |
| 171 | MADAGASCAR |
| 172 | MALAWI |
| 173 | MALI |
| 174 | MALTA |
| 175 | MARSHALL ISLANDS |
| 176 | MARTINIQUE |
| 177 | MAURITANIA |
| 178 | MAURITIUS |
| 179 | MAYOTTE |
| 180 | MICRONESIA |
| 181 | MOLDOVA |
| 182 | MONTENEGRO |
| 183 | MONTSERRAT |
| 184 | MOZAMBIQUE |
| 185 | MYANMAR |
| 186 | NAMIBIA |
| 187 | NAURU |
| 188 | NEPAL |
| 189 | BONAIRE, CURACAO, SABA, SINT EUSTATIUS, SINT MAARTEN |
| 190 | NEW CALEDONIA |
| 191 | NIGER |
| 192 | NIGERIA |
| 193 | NIUE |
| 194 | NORFOLK ISLAND |
| 195 | NORTHERN MARIANA ISLANDS |
| 196 | PALAU |
| 197 | PALESTINIAN AUTHORITY |
| 198 | PAPUA NEW GUINEA |
| 199 | PITCAIRN |
| 200 | REUNION |
| 201 | RWANDA |
| 202 | SAMOA |
| 203 | SAN MARINO |
| 204 | SÃO TOMÉ AND PRÍNCIPE |
| 205 | SENEGAL |
| 206 | SERBIA |
| 207 | SEYCHELLES |
| 208 | SIERRA LEONE |
| 209 | SOLOMON ISLANDS |
| 210 | SOMALIA |
| 211 | SRI LANKA |
| 212 | SAINT HELENA, ASCENSION AND TRISTAN DA CUNHA |
| 213 | SAINT KITTS AND NEVIS |
| 214 | SAINT LUCIA |
| 215 | SAINT PIERRE AND MIQUELON |
| 216 | SAINT VINCENT AND THE GRENADINES |
| 217 | SURINAME |
| 218 | ESWATINI |
| 219 | TAJIKISTAN |
| 220 | TANZANIA |
| 221 | TIMOR-LESTE |
| 222 | TOGO |
| 223 | TOKELAU |
| 224 | TONGA |
| 225 | TURKMENISTAN |
| 226 | TURKS AND CAICOS ISLANDS |
| 227 | TUVALU |
| 228 | UGANDA |
| 229 | VANUATU |
| 230 | VATICAN CITY |
| 231 | VIRGIN ISLANDS, U.S. |
| 232 | VIRGIN ISLANDS, BRITISH |
| 233 | WALLIS AND FUTUNA |
| 235 | ZAMBIA |
Claim values for privileges
The following table describes the possible privileges in the privilege claim.
| Value | Privilege | Description |
|---|---|---|
| 185 | Cross Network Play | User can play across different Networks |
| 186 | Play Tournament | User can participate in Tournaments |
| 187 | Create Tournament | User can participate in Tournaments |
| 188 | Clubs | User may create/join/participate in Clubs |
| 189 | Sessions | User may create/join non-interactive multiplayer sessions |
| 190 | Broadcast | User may broadcast live gameplay |
| 191 | Premium Music Content | User may access premium music applications for Xbox Live Gold subscribers |
| 192 | Skype Advertisement | User may access premium features of Skype from Xbox consoles |
| 193 | Download Free Content | The user can use the Xbox Store to download free content. |
| 195 | Fitness Upload | The user can upload fitness data to an online service. |
| 196 | AuthPrivileges.ManageProfilePrivacySetting | User may change their setting to show their real name |
| 197 | View Friends List | The user can view other users' friends lists. |
| 198 | Game DVR | The user can upload recorded in-game videos to the cloud. Viewing Game DVRs is subject to privacy controls. |
| 199 | Share Kinect Content | Kinect recorded content can be uploaded to the cloud for the user and made accessible to anyone if this privilege is present. Viewing other users' Kinect content is subject to a privacy setting. |
| 203 | Multiplayer Parties | The user can join a party session. |
| 205 | Communication Voice In-Game | The user can participate in voice chat during parties and multiplayer game sessions. Voice chat with a specific user also requires a privacy permission check that evaluates both users settings, their relationship, and any Avoid list rules. |
| 206 | Communication Voice Skype | The user can use voice communication with Skype on Xbox One. |
| 207 | Cloud Gaming Manage Session | The user can allocate a cloud compute cluster and manage a cloud compute cluster for a hosted game. |
| 208 | Cloud Gaming Join Session | The user can join a cloud compute session. |
| 209 | Cloud Saved Games | The user can save games in cloud title storage. |
| 211 | AuthPrivileges.ShareContent | Users may share content |
| 214 | Premium Content | The user can purchase, download, and launch premium content available with the Xbox Live Gold subscription. |
| 217 | Internet Browser | The user can launch an Internet browser on Xbox One if this privilege is present. |
| 219 | Subscription Content | The user can purchase and download premium subscription content and use premium subscription features. |
| 220 | Social Network Sharing | The user is allowed to share progress information on social networks. |
| 221 | PII Access | User allows the title to access a subset of their personally identifiable information (PII): real name, email address, and so forth. |
| 224 | Premium Video | The user can access premium video services. |
| 235 | Video Communications | The user can use video communication with Skype or other providers when this privilege is present. Video communication with a specific user also requires a privacy permission check that evaluates both users settings, their relationship, and any Avoid list rules. |
| 245 | Purchase Content | The user is authorized to purchase content when this privilege is present. |
| 247 | User Created Content | The user is authorized to download and view online user-created content. |
| 249 | Profile Viewing | The user is authorized to view other users profiles. Privacy settings can limit profile access and control what the viewer can see. |
| 252 | Communications | The user can use asynchronous text messaging. A privacy permission check determines which users the requester can message. It considers both users settings, their relationship, and any Avoid list rules. |
| 254 | Multiplayer Sessions | User can join a multiplayer session for a game. |
| 255 | Add Friend | The user is authorized to follow Xbox users. |