Personal Access Token
A PersonalAccessToken (PAT) allows makers to authenticate with the Ludilol API for programmatic access. PATs are scoped to specific capabilities and can optionally be restricted to a single game.
Properties
| Property | Type | Description |
|---|---|---|
Id | int | Primary key |
UserId | int | FK → AppUser |
GameId | int? | FK → Game (optional scope restriction) |
Scope | PatScope | What the token can access |
Name | string | Human-readable label |
TokenHash | string | SHA-256 hash of the token (token itself is shown only once) |
ExpiresAtUtc | DateTime | When the token expires |
LastUsedAtUtc | DateTime? | Last API call timestamp |
RevokedAtUtc | DateTime? | When the token was revoked |
Scopes
| Value | Name | Description |
|---|---|---|
| 1 | OData | Read-only access to the OData order feed (/api/odata/orders) |
| 2 | GameVersions | Upload, list, and delete game versions via API |
API Endpoints
OData Scope
GET /api/odata/orders— Query up to 200 orders with OData filters
GameVersions Scope
GET /api/games/{gameId}/versions— List versionsPOST /api/games/{gameId}/versions— Upload a new version (200 MB limit)DELETE /api/games/{gameId}/versions/{versionId}— Delete a non-published version
Security
- The raw token is displayed only once at creation time.
- Only the SHA-256 hash is stored in the database.
- Tokens are sent as
Authorization: Bearer {token}headers. - Expired or revoked tokens are rejected.