bedrock: Return new Bearer-like minecraft session token in .getMinecraftBedrockToken()#160
Merged
extremeheat merged 1 commit intoPrismarineJS:masterfrom Mar 29, 2026
Merged
Conversation
…aftBedrockToken() Adds a new `token` field on top of `chain`. They’re both JWTs, but they serve different roles. * chain This is the Bedrock identity certificate chain. It is an array of JWTs, not a single token. It exists to prove player identity and establish trust from Mojang/Microsoft down to the client’s key. In practice, it carries identity-style claims like extraData, identityPublicKey, etc. The server walks the chain and verifies signatures step by step. * token This is the separate Bedrock multiplayer login token introduced/required by the newer flow. It is a single JWT. It is closer in purpose to an auth/session token than to the old cert chain, but it is still a JWT, not an opaque bearer string. From the investigation, it includes claims like: cpk: client public key xid: Xbox user id xname: gamertag iss, aud The important bit is that it is bound to the client keypair via cpk. So the mental model is: chain = “who are you, and what key is your Bedrock identity rooted in?” token = “are you authorized for multiplayer login right now, for this client key?” Why both now: Older flow mostly relied on the cert chain. Newer 1.26.10-style login appears to require both: Certificate: the chain Token: the multiplayer token So token is not like the Minecraft Services mcToken used for web APIs. That mcToken is more like a conventional API bearer token. This Bedrock login token is still JWT-based, but specifically for Bedrock multiplayer login/auth and cryptographically tied to the client key. Short version: chain: certificate/identity proof, array of JWTs token: multiplayer auth JWT, single JWT, key-bound via cpk
Member
Author
|
/makerelease major |
Merged
Member
Author
|
/makerelease 3.0.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Breaking - Adds a new
tokenfield instead of singularly returning thechainin getMinecraftBedrockToken().They’re both JWTs, but they serve different roles.
chain: certificate/identity proof, array of JWTs
token: multiplayer auth JWT, single JWT, key-bound via cpk (Bearer token like)