Splinterlands Public API Policy & Upcoming Change

Note: This post is specifically for third party developers and anyone who uses the Splinterlands public API. It does not involve any player-facing changes.

Splinterlands provides a public API that allows developers and data analysts to interact with and query data from the game. We love all of the third party development that has taken place around the game and want to encourage and support that; however, we also need to prevent spam and abuse of the API calls which can negatively affect the performance of the game for everyone.

To that end, we will be implementing the following policy regarding the use of the public APIs:

  1. Spamming or other abuse of API calls will result in source IP addresses being blocked and/or rate limiting and/or other preventative measures to be implemented without notice.
  2. Breaking changes to any API calls will be announced on our blog at least 7 days before the change goes into effect, except in extreme cases where the change is necessary to ensure the smooth operation of the game.
  3. Splinterlands does not assume any responsibility for any losses or damages incurred from downtime, errors, or other issues that may occur with the public API.

As we mentioned above, we really want to encourage and support continued third party development around the game, but we need to ensure that it's done in a way that doesn't cause problems. If you have any questions about proper usage of the APIs, please feel free to contact @yabapmatt on the Splinterlands Discord Server and we will be happy to help.

Login API Call Change

Starting on Monday, January 20th, the /players/login API call will require a valid signature to be sent as a query string parameter signed with the private posting key of the specified Steem blockchain account.

The message to be signed is the current timestamp (in milliseconds) appended to the account name. For example: yabapmatt1578625303226. Some code snippets to generate the signature using the Steem Keychain browser extension and some JS libraries are included below.

Once you have generated the proper signature, you can make the /players/login API call as follows:


Please note that the timestamp that is sent to the login call with the ts parameter must be the same as the one used in the signed message.

Message Signature Examples

To sign the message via the Steem Keychain browser extension you can call:

steem_keychain.requestSignBuffer(username, username + timestamp, 'Posting', r => {
    if(r.result) {
        // r.result is the signature
    } else {
        // Error

To sign the message using the dSteem JS Library you can call:

dsteem.PrivateKey.fromString(private_posting_key).sign(Buffer.from(dsteem.cryptoUtils.sha256(username + timestamp))).toString()

To sign the message using the EOS JS ECC Library you can call:

eosjs_ecc.sign(username + timestamp, private_posting_key);

Thank You For Your Support

The Splinterlands team wants to extend a big thank you specifically to all of the third party developers who have provided apps, tools, services, and data analysis for the game. We love all of the unique and innovative things you have created which help improve the overall experience for everyone, and we appreciate your support and understanding as we work towards growing this ecosystem in a smart and sustainable way.

Stay tuned for more updates from the Splinterlands!

Website | Blog | Discord | Telegram | Shop


Thank for the update. I think this change will create problem for SteemConnect login on https://monstermarket.io.

Now to comply with this I need to ask for user's posting key if they don't have Steem Keychain installed (most mobile users).

  1. Please define what specifically you mean by "Spamming or other abuse of API calls." I doubt anyone who was using Login had any idea they were doing anything inappropriate until you rate-limited it. I certainly didn't, it was just another undocumented call like all the others. (In fact I still don't know why it's different.)
  2. This post is missing a description of where one can healthily get the information which is in Login. I managed to figure this out with help from other third-party devs but since none of this is documented, if you're going to break a hook, please tell people what they should be doing instead.

I agree with you.

It should be given a standard.

For example, the api concurrency is 1 time per second

And if so, is it one time per second per hook or one time per second per account? Several of my projects hit Balances for a lot of accounts at once, for instance. (Not frequently.) Those are all accessed through the same hook by passing the account name.

No response to your questions from Splinterlands?