originally posted in:BungieNetPlatformView Entire Topic
Hi, i'd like to know how the API handles Login Credentials (e.g. PSN/XBL). I'd appreciate it if someone could briefly explain this. I'm asking because i've seen that one of the main reasons people don't use 3rd Party apps for Destiny is the fear of getting your login information stolen or saved. In short, many guardians stay away from unofficial apps because they're afraid of getting their accounts [i]"hacked"[/i] and i'd like to have a good answer to reassure them that it won't happen. And to all the independent DEVs that are making tools/sites/apps for our favourite game: Keep up the good work, you are the tech savvy [b]legends[/b] that make this community so much better. Thanks a lot. Edit: added tags, formatting, grammar.
Edited by lowlines: 1/30/2016 12:28:35 PMThis is possibly the most asked topic on these forums :p Bungie does not officially support third party authentication. In order to make authenticated requests you need to have a mechanism in place that gets the browser cookies that are generated when a user authenticates with PSN/Xbox. Applications that act as web browser extensions are probably the least iffy because they will never have access to your login details (though technically all you need are valid cookies and you could do all sorts of things...) and the user has to make an active choice of allowing the plugin to have access when they install it. Most developers that put heaps of time into making awesome apps have absolutely no desire to use a user's information for anything other than to enrich their time spent in Destiny, Bungie.net have been working hard at bringing more stuff out from the private endpoints (and will be introducing privacy options no one will probably really use, but will at least have the option if they wish) as well was building their own versions of apps that require authentication into the Bungie.net website such as the Gear Manager. I feel that if there was a case where a third party app was built with the intension of being dishonest with a user's credentials, it would get shut down very quickly. But its really up to the end user whether they would rather be with or without (and those few times where I had to resort to using the Offical Mobile app to move an entire gear set, man can that suck...). Most developers actively engage with their users on the forums, reddit or their own websites, and if a user still distrusts them after they give out Chocolate Strange Coins, well...that's their loss :p