How can I use the Xbox RESTful api to get the callers xuid. I have their xbl3.0 token

Question

Im using the python requests library.

So I have their xbl3.0 token and I was wondering how I could get their xuid. I've searched the documentation and found this yet it doesnt specify any authorization headers.

pls help im so confused.

def getownerxuid():
        with open('configs/realminfo.json') as temp_json_file:
            xbltoken = json.load(temp_json_file)["xbltoken"]
        url = "https://userpresence.xboxlive.com/users/me"

        
        url = "https://profile.xboxlive.com/users/me/profile/settings/people/people"

        
        headers = {
        "Authorization": f"{xbltoken}",
        "x-xbl-contract-version": "2",
        "content-type": "application/json"
        }

        
        params = {
        "settings": "GameDisplayName,GameDisplayPicRaw,Gamerscore,Gamertag"
        }

        
        response = requests.get(url, params=params, headers=headers)

        
        if response.status_code == 200:
                print(response["xuid"])
                
                data = response.json()
                
        else: print(f"Request failed with status code: {response.status_code}")

Im expecting to get the response from this but instead I just recieve error 403. I know my token is not incorrect as it works fine on the realms api which uses the same token.

Answer 1

You can get the Xbox profile associated with the token using the "DisplayClaims" response from XSTS Authorize endpoint. Here's an example of how to format the request:

def get_xbox_info(xsts_token):

    properties = {
            'SandboxId': 'RETAIL',
            'UserTokens': [xsts_token],
            'OptionalDisplayClaims': ['mgt', 'umg', 'mgs'] # Ask for the modern gamertag values
        }
    data = {
            'Properties': properties,
            'RelyingParty': 'http://xboxlive.com',
            'TokenType': 'JWT',
        }
    response = requests.post('https://xsts.auth.xboxlive.com/xsts/authorize', json=data, headers={'Accept': 'application/json'})
    response_data = response.json()

    display_claims = response_data.get('DisplayClaims')
    if display_claims:
        xui = display_claims.get('xui')
        if xui:
            xbox_profile = xui[0]

            attr = {}
            attr['gamertag'] = xbox_profile.get('gtg')
            attr['xuid'] = xbox_profile.get('xid')
            attr['agg'] = xbox_profile.get('agg')
            attr['ModernGamertag'] = xbox_profile.get('mgt')
            attr['ModernGamertagSuffix'] = xbox_profile.get('mgs')
            attr['UniqueModernGamertag'] = xbox_profile.get('umg')

            return (attr)

    raise Exception("No Xbox profile was returned for that Microsoft account")