I'm not entirely certain. Here is an example of the ticket, though: CAEQour61Q0YACA6KnCZisCVMU6wo+cpZm77xisYoMSkgADk8ftfkCvP5Cwvx0kCccFs+ZebjgbSwsX3+XAFTRcsuL7mXMu3suFvwhAFFq/shUiop9wfUVl7TMNXFsimeMqVecgmLtswkdmBUFr9ZQjAqXg8PGKvpiXUWhLc The first 4 characters are always "CAEQ". The rest is random. I'm not 100% sure this is the application ticket itself, but some of the server responses for bad or expired keys seem to indicate it's an application ticket. Here's an example of it in a curl request: curl -XPOST "http://api.battlerite.net/auth/steam-async/v1"-H "Client-Version: Bloodgate=92,Gameplay=91" -H "Content-type: application/json" -d "{\"key\":\"CAEQour61Q0YACA6KnCZisCVMU6wo+cpZm77xisYoMSkgADk8ftfkCvP5Cwvx0kCccFs+ZebjgbSwsX3+XAFTRcsuL7mXMu3suFvwhAFFq/shUiop9wfUVl7TMNXFsimeMqVecgmLtswkdmBUFr9ZQjAqXg8PGKvpiXUWhLc\"}" An expired "key", for example, will get this response: {"status":400,"code":7,"message":"App ticket is too old","property":"key"} If the key is correct and hasn't expired, the server responds with something like: {"sessionID":"BDC0291F338E9FBAD4DBCA13AB603F23","refreshToken":"A8B756CB57FAEAB9A860A9910A45F5A0","timeUntilExpire":900,"userId":352} From there the sessionID is used in the header of any requests to authenticate them: curl -H "authorization: Bearer BDC0291F338E9FBAD4DBCA13AB603F23" -H "Content-type: application/json" "http://api.battlerite.net/account/public/v1" The server would respond to the request above with some data. Not important for this example... Every 15 minutes the refresh token generates a new sessionID with this request: curl -H "Content-type: application/json" -H "Client-Version: Bloodgate=92,Gameplay=91" -d "{\"refreshToken\":\"A8B756CB57FAEAB9A860A9910A45F5A0\",\"userId\":352}" "http://api.battlerite.net/auth/refresh/v1" Response: {"refreshToken":"526E3777D8173139283A691179710759","timeUntilExpire":900,"userId":352} If, for some reason, the refresh token is incorrect then a new application ticket is generated and it generates a new sessionID and refresh token: HTTP/1.1 401 Unauthorized Date: Sat, 17 Dec 2016 00:02:06 GMT WWW-Authenticate: Bearer realm="realm" Content-Type: text/plain Content-Length: 49 Credentials are required to access this resource.POST /auth/refresh/v1 HTTP/1.1 Content-Type: application/json; charset=UTF-8 Client-Version: Bloodgate=92,Gameplay=91 Content-Length: 65 Host: api.battlerite.net {"refreshToken":"C811BCFF74CC3A207B8B7D8DCD2B5708","userId":352}HTTP/1.1 400 Bad Request Date: Sat, 17 Dec 2016 00:02:06 GMT Content-Type: application/json Content-Length: 82 {"status":400,"code":2,"message":"Invalid refreshToken","property":"refreshToken"}POST /auth/steam-async/v1 HTTP/1.1 Content-Type: application/json; charset=UTF-8 Client-Version: Bloodgate=92,Gameplay=91 Content-Length: 178 Host: api.battlerite.net {"key":"CAEQv53/jAgYACA6KnDgM25IlI9jnNEmBDlyPkmnT44yEfcYYq0NZj85IpZYi2nZrJBISlXZnOo3J2PqgZe30PMEs5G+0DdBHzOpGfNR2ypy6diAw2iokVCGUgqWDVxscB+gJsQlqMtc0Qx+IvUqMwuXw4DHqogIdrd1Vha7"}HTTP/1.1 200 OK Date: Sat, 17 Dec 2016 00:02:13 GMT Content-Type: application/json Connection: close {"position":1}{"sessionID":"710F7C64FFCE115D15DE08F02A7212F0","refreshToken":"AC5DF2AF04048485B04217809759C990","timeUntilExpire":900,"userId":352} As stated in the op, I'm interested in retrieving some of the data each time a user registers for my web app or chooses to update their data in my database, and I'd like a way to generate my own sessionID's. Given what you see here, is that possible? In addition to the excerpt from the documentation posted in the op, there is this information on application tickets: Am I to understand that this only means that the private key is needed for the server in order to verify the ticket and that the user can request and view the application ticket without the private key?
