Minecraft legacy login - tomsik68/mclauncher-api GitHub Wiki

Prerequisities

  1. Username
  2. Password
  3. User has minecraft or mojang account

Process

Connect to login.minecraft.net using HTTPS

The public key has to be the same as minecraft.key in official launcher which can be downloaded at MinecraftDownload site

Send data via post

user=<username>&password=<password>&version=13

  • user=<username> - Username of the player entered in text field. Can also be e-mail if it's mojang account.

Example: [email protected]

  • password=<password> - Password player entered in text field.

Example(this is bad example): 12345

  • version=13 This is version of launcher. For the newest version of older launcher, it's 13.

Receive text data

Example of data received: 1367502965000:deprecated:Tomsik68:asdg465arg465fs465asdf:56sdf1g51adfga68df4 These are actually 5 values split by :.

Let's go over these values:

1. 1367502965000 = Last version

This is actually a unix timestamp(number of milliseconds since 1.1.1970) which tells client when was the last version released. This timestamp is afterwards compared to that one in .minecraft/bin/version. If they're different, client will update(the old way).

2. deprecated = Download Ticket

This is not used anymore, so it's always deprecated. However it was used as some kind of crack-prevention so pirate users couldn't update.

3. Tomsik68 = Case-correct player username.

Mojang is planning name changing, so they started sending the player name to client. Client uses this name rather than the e-mail.

4. asdg465arg465fs465asdf = Session ID(this is not real session ID I made it up)

Session IDs are randomly generated by the login server. These are replacement for the password. They're used while connecting to multiplayer server for verification. It can be used to steal player identity, that's why the value above is not a real value. This is known as "session stealing". Off-line value: -

5. 56sdf1g51adfga68df4 = Player's unique ID.(again, not real made up)

This is player-specific hex string which is unique identifier for a player. Because name is going to be changeable, they need to give player unique index.

Errors

If your received data don't contain : then you can tell it's some kind of error report. There can be multiple error reports:

  1. "Bad Request" - You didn't include all parameters or some of parameters has invalid value.
  2. "Bad Login" - Wrong username/password

What now?

After you logged in successfully, you can save your login information. It's recommended to use the new way of saving login details.

⚠️ **GitHub.com Fallback** ⚠️