Guild Wars 2

I am sorry if my searching couldn’t find this, or if this forum is not the right place for this. (I tried my best really!)

I would like to have an Online Character Viewer, where I can see my characters, their character screen info (map completion, achieves etc) and possibly skills/traits etc from the Hero panel.

It would be a fun way to share (out of game) my character and how i have chosen to play them, with friends that do, (or do not), play the game.

From what I have been reading, this MIGHT be possible through the Auth API?

Thank you in advance for any responses.

The idea has already been mentioned in another thread, but i forgot where it was.

https://gateway.playneverwinter.com/ (hint, hint!)

please keep in mind that by allowing character data to be accessed by third parties, security for GW1 accounts might be compromised, based on the requirement for having to enter a character name with the account.

please take extra steps to ensure that any pulls of character data cannot be linked to account information by any third party, as this could possibly give a backdoor access for hackers to steal peoples’ accounts.

please remember that people who have linked their GW1 and GW2 accounts may have used at least one character name from GW1 when creating GW2 characters. allowing any third party, access to my character names via API pulls could compromise my GW1 account, and therefore possibly my GW2 account.

now, i may be simply paranoid about this, but i want to be sure that my account is secure. i’d hate to lose it to hackers due to official apps making a back door.

thank you for listening.

@Forgotten Legend.9281: Two-factor authentication should render all of those concerns moot.

Lawton Campbell.8517:

It’s definitely something I’m working on. If you’re technically-minded, there’s a pull request on Github that details our plans for the initial release of an API endpoint that will allow the creation of sites that can access your character data.

What kind of time frame are you looking at before we see any kind of release?

Lawton Campbell.8517:

It’s definitely something I’m working on. If you’re technically-minded, there’s a pull request on Github that details our plans for the initial release of an API endpoint that will allow the creation of sites that can access your character data.

What about privacy?

Will I be able to set a per-character flag saying I don’t want my character exposed by the API?

Sytherek.7689:

Lawton Campbell.8517:

It’s definitely something I’m working on. If you’re technically-minded, there’s a pull request on Github that details our plans for the initial release of an API endpoint that will allow the creation of sites that can access your character data.

What about privacy?

Will I be able to set a per-character flag saying I don’t want my character exposed by the API?

Ah the ever constant fear of gear inspecting and elitism that follows

Sytherek.7689:

Lawton Campbell.8517:

It’s definitely something I’m working on. If you’re technically-minded, there’s a pull request on Github that details our plans for the initial release of an API endpoint that will allow the creation of sites that can access your character data.

What about privacy?

Will I be able to set a per-character flag saying I don’t want my character exposed by the API?

Why? If my understanding is correct, only you will be able to see your characters anyway.

EnemyCrusher.7324:

Sytherek.7689:

Lawton Campbell.8517:

It’s definitely something I’m working on. If you’re technically-minded, there’s a pull request on Github that details our plans for the initial release of an API endpoint that will allow the creation of sites that can access your character data.

What about privacy?

Will I be able to set a per-character flag saying I don’t want my character exposed by the API?

Why? If my understanding is correct, only you will be able to see your characters anyway.

You would give your permission to a website or app that would then allow it to pull the character data. After you have done that, it may just present it back to you, but it could also store it and make it publicly available. If you also give it the offline permission it will even be able to keep its records up to date.

You will be able to revoke permissions at any time, of course.

Nabrok.9023:

EnemyCrusher.7324:

Sytherek.7689:

Lawton Campbell.8517:

It’s definitely something I’m working on. If you’re technically-minded, there’s a pull request on Github that details our plans for the initial release of an API endpoint that will allow the creation of sites that can access your character data.

What about privacy?

Will I be able to set a per-character flag saying I don’t want my character exposed by the API?

Why? If my understanding is correct, only you will be able to see your characters anyway.

You would give your permission to a website or app that would then allow it to pull the character data. After you have done that, it may just present it back to you, but it could also store it and make it publicly available. If you also give it the offline permission it will even be able to keep its records up to date.

You will be able to revoke permissions at any time, of course.

Thank you much.

I’m not entirely against my choices being visible to others. But I want to control that visibility.

Sytherek.7689:

Thank you much.

I’m not entirely against my choices being visible to others. But I want to control that visibility.

From the current design, that’s going to be up to the website, not ANet. They’re giving rather coarse-grained permissions right now.

Pat Cavit.9234:

In the end you, the user, are responsible for determining who gets access to your data. If you don’t like what they do with it revoke their access.

We just provide a safe, standardized way to authenticate and say “Yes, App <XYZ> can read parts of my private data.”

I assume character data is private unless explicitly made visible by the account holder to specific web sites.

here goes attempt number two, since the forums ate my post. my apologies if this sounds abrasive. if you read any negative attitude between the lines, it’s mostly due to the frustration of having to rewrite all this less perfectly than before.

A) will there be a setting in game or in my account page so that i can set a definitive “no app is allowed to access my account / character information, ever, even if the app is able to produce the proper credentials” option? (please answer yes. this seems to me to be a “must have” option.)

B) will there be another secondary option to “send me an email informing me of any automatically blocked attempt of an app to access my account.”
~ this email would NOT ask me permission for the app to access my account. this email would simply state that an app tried to access my account, and was blocked due to my account settings.
~ this would avoid confusion that the email authentication system could bring. i’d hate to have checked the box for “A” option, and then get an email asking me permission for an app to access my account.
~ i understand that “app” access might then need to be coded differently than “game access” for these purposes

C) presuming the above options are included, if neither A nor B options are checked, i would presume that email authentication settings would take over.
~ preferably adding a separate option specifically for app access email authentication (defaulting to the game access email authentication setting?)
~ a separate option could then be treated as an either / or / neither option with “B” above (ie, either B, or C, or neither, but never both)
~EDIT: for clarification, it would be either: “A” and “B” auto-block and email notifying me of the block, OR “C” email me asking me for permission, OR neither

D) presuming both A and B options above, i would suggest making sure they override the email authentication requesting permission.
~ if i check the box for “A”, and email authentication sends me an email, and i say yes, then “A” automatically denies permission unless i change the setting for “A”
~ however. if “C” suggestions are implemented with either / or / neither functionality, this wouldn’t be a problem

E) even if none of the above options are included, the bare minimum security requirement would be the email authentication applies to any app that attempts access to account / character information.

basically, i’m saying i want an account setting to override any app’s permissions. i don’t want any app accessing my account / character info because some app got permission.

please forgive me for my paranoia, and my obsession with asking for clarification on this. I know a lot of people want these kinds of apps. i want them to be able to have them, too. i just want to be able to opt out of it in “one easy step,” (checking 2 boxes still falls within the hyperbole) and never have to worry about it again.

Thanks for listening again, and bacon to you too!

Your opt out is this:

• Do not authorize API access to your Account/Character to applications; and
• If you have authorized API access to your Account/Character to applications, revoke that access within whatever security page ANet provide for this.

You don’t provide sites with your username/password combination. Instead what happens is you log in to a page provided by ANet using a special link (which tells ANet what permissions are being requested, and where to return what’s called an access token) which then asks if you want to allow access for this application, and also tells you which permissions you’re giving (i.e. Character, Account, Offline, etc – these are the scopes or permissions that you want the application to have). If you never allow an application to use a particular scope (or revoke access) then the app cannot access that data. After allowing the application access, they get returned an access token to retrieve data (and a refresh token if you allowed the Offline scope, so they can get new access tokens when the old one expires.) When you revoke an application’s permission, the access token will no longer work (and they cannot use the refresh to get another one) and they can no longer access the data.

Each application will have its own App ID, and each application should also have its own access token to use. By giving access to say smiley’s super-duper character viewer application, you’re not giving permission to my character logging application (note: these are just examples.) – you’d need to grant permissions to both if you wanted both apps to work.

Not sure if ANet is intending on a button to revoke all applications at once, maybe this could work for your requirements if they did?

You will know, however, if an app is requesting access to your credentials before you even allow it since you’ll get a page like this: http://i.imgur.com/E9XKVy3.png which actually sits on ANet’s servers.

Moturdrn.2837:

You will know, however, if an app is requesting access to your credentials before you even allow it since you’ll get a page like this: http://i.imgur.com/E9XKVy3.png which actually sits on ANet’s servers.

After the login screen you’ll get a screen which will be similar like the following (similar as in: the wording will be clarified). Note the URL, the login and the authorization will always happen on Anet’s servers.

€: If you’re interested in how OAuth2 actually works, you might want to read this: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified (or just google for OAuth2)

Forgotten Legend.9281:

A) will there be a setting in game or in my account page so that i can set a definitive “no app is allowed to access my account / character information, ever, even if the app is able to produce the proper credentials” option? (please answer yes. this seems to me to be a “must have” option.)

All access to authenticated APIs is opt in. That means you have to explicitly give permission to specific apps/websites to access your data on those APIs.

If you do nothing, no one will be able to access your account/character data.

so, if i understand this right… i would have to be using the app, and then log in to my account on guildwars2.com… and then grant permission. so if i never use any apps, then they’ll never gain access to any of my information. ( i still wouldn’t mind having a “block all apps” setting just in case, but seeing that it wouldn’t be needed if i never use any apps to begin with, my paranoia is sated. )

thank you so very much everybody for explaining how this works. i’m glad you all saw through my post (and Bacon Deficiency) and saw that some respectful “there’s no need to worry. this is how it works.” is really all i needed to alleviate my concerns.

the trouble with BDD (bacon deficiency disorder) is that sometimes, the one suffering from it overthinks things.

golden brown delicious crispy bacon to all of you.

Forgotten Legend.9281:

so, if i understand this right… i would have to be using the app, and then log in to my account on guildwars2.com… and then grant permission. so if i never use any apps, then they’ll never gain access to any of my information.

Exactly this.

hi ArtifexDominus.8675,

This little tool may fit your needs: https://etblue.github.io/gw2inventory/

Submit your API key (with account, inventories, characters, wallet, builds, guilds permissions) and then bookmark the page, then you will be able to access your characters anytime you want.

But beware, if you share the bookmarked url with your friends, you are sharing your API key with them, too.

Please remember to check the date of a thread before posting. Commenting on an out of date thread and bumping it to the top of the forums is considered necroposting and is against forum rules. This thread will now be locked. Thank you.