Skip to content

Account & security

The launcher's Manage account page (/launcher/account) is the only place an end user touches identity, security, characters, and the data export. It mirrors the layout of the public web portal's account page but inside the launcher chrome, and it talks to the same /api/v1/me/* endpoints.

Identity

  • Splintertag — the public, Battletag-style handle (Rodec#3746). Picked by the user during registration; the server appends a 4-digit discriminator. Other players add friends by Splintertag, never by email or account ID.
  • Email — the only login identifier. The web-api stores it lowercased with a unique index on LOWER(email). SRP6 verifier is computed against UPPER(email):UPPER(password) so the existing AzerothCore-derived auth pipeline keeps working without protocol changes.
  • No username column anywhere — the schema dropped auth.account.username in migrations 159/160; the only identity the wire protocol carries is the email (which doubles as the SRP6 identity).

Account info

The Profile card lists email (with verified badge), splintertag, last login, join date, and — when gametime_enabled is on — subscription expiry plus days-remaining badge. First / last name are editable inline.

Characters

Server-paginated table (default 5 rows) reading /api/v1/me/characters?page=&per_page=. Each row shows the class-coloured character name, level, race, the active game's tinted icon (silhouette tinted with the game's icon_colors), realm name, current realm phase (Pn), guild, and online state. Banned / suspended characters carry a red badge with the relevant ban metadata in a tooltip.

The Primary character pin (star) marks the character to default to in mail / auction views.

Two-factor authentication

/api/v1/me/2fa* — TOTP (RFC 6238) with HMAC-SHA1, secret stored as bytea in auth.account.totp_secret. The launcher dialog shows a real QR code (rendered with qrcode in parchment colours) plus the base32 secret for manual entry; the player confirms with their first 6-digit code before the secret is committed.

The same secret feeds the in-game login: AzerothCore's authserver already prompts for the 6-digit token if totp_secret is non-NULL, so no client patch is needed.

Data export

A signed JSON archive of the account, including every character with its game, realm, phase, gear, mail and auctions. The export carries the account email but never the password hash. The verification key block on the same card displays the operator's Ed25519 public key so the recipient can verify the archive on a different machine.

Any other Splintertree-core based realm can import the archive, provided it ships the same original game definitions (same DBCs, same AzerothCore data shape).

Account deletion

Soft-delete by default — the account stays restorable for restore_window_days days; the player sees a Pending deletion banner during that window and can restore with one click. Operators can disable self-delete via app settings.