Implement service-to-service authentication in your game

2025-05-16

Using the Microsoft Game Development Kit (GDK) for service-to-service authentication allows your service to securely interact with Microsoft Store APIs. This method uses User Store IDs or delegated authentication tokens to authenticate calls. This ensures seamless integration and secure transactions.

We recommend that new titles and services use the Entra ID authentication flow with User Store IDs for both PC titles and Xbox titles. Future services and development for Microsoft Store will use User Store IDs and not XSTS tokens.

Implement service-to-service authentication by using Microsoft Entra ID and User Store IDs

A User Store ID can be used to authenticate a call from your service to the Microsoft Store API.

There are two types of User Store IDs.

UserCollectionsID: Authenticates with the Microsoft Store Collections service
UserPurchaseID: Authenticates with the Microsoft Store Purchase service

This process involves two software components that perform different tasks.

Your service: This is an application that runs securely in the context of your business environment. This app can be implemented by using any development platform that you choose. Your service is responsible for creating the Entra ID access tokens that are needed for calling the REST URIs for the Microsoft Store Collections service.
Your game: This is the game for which you want to access and manage entitlement information (including add-ons for the game). This game is responsible for creating the User Store ID keys that you need to call the Microsoft Store APIs with. The game can either directly create the User Store ID keys needed to call the Microsoft Store APIS or pass an x-token to the service and have your service create the Store ID keys. For more information on creating the Store ID keys on your service, see Requesting a User Store ID from your service with XSTS tokens or OAuth 2.0.

This scenario outlines the necessary configuration and steps to get a User Store ID for service-to-service authentication between the Microsoft Store service APIs and your service.

Configure an application in Microsoft Entra ID: Before you can use the Microsoft Store APIs, you must create an Entra ID web application, retrieve the tenant ID and application ID for the application, and generate a key.
Note that the Entra application must have the following options enabled under Manage->Authentication.
- Access Tokens
- ID Tokens
- Supported Account Types must include personal Microsoft accounts (for example, Skype and Xbox)
Associate your Entra application ID with your client app in Microsoft Partner Center: Before you can use the Microsoft Store APIs to configure the ownership and purchases for your application or add-on, you must associate your Microsoft Entra application ID with your game in Partner Center.
Create Microsoft Entra ID access tokens: Before you can retrieve a User Store ID key or call the Microsoft Store APIs, your service must create several different Entra ID access tokens that represent your publisher identity.
Create a User Store ID key: In your game, create a User Store ID key that represents the identity of the user who's currently signed in to the Microsoft Store app. Pass this key back to your service.
Authenticate through a User Store ID for Windows PC games: All Microsoft Store service APIs support authentication through Entra ID and User Store IDs.
Renew a Microsoft Store ID key: When you generate a User Store ID key, it has a lifetime of 30 days. Within the 30-day lifetime, the key is honored for authentication to the Microsoft Store Services. The key can also be renewed before it expires to generate a new User Store ID for the same Entra application Client ID and User identities.

Share via

Implement service-to-service authentication in your game

Implement service-to-service authentication by using Microsoft Entra ID and User Store IDs

See also

The Microsoft.StoreServices .NET library and sample

Additional resources