Security-conscious XBL3.0 token helper using MSAL and the OS keyring.
Project description
xbl3auth
Security-conscious helper library and CLI for obtaining XBL3.0 tokens for Xbox Live.
- Uses official Microsoft auth (MSAL) instead of scraping login pages.
- Never handles raw passwords: relies on browser/OS for sign-in.
- Stores refresh tokens in the OS keyring (Credential Manager, Keychain, etc.).
- Keeps XBL3.0 tokens in memory by default, printing to stdout when requested.
- Ships with a built-in public client ID and a remote config endpoint for rotation.
This library is for legitimate use with accounts you control. Respect Microsoft ToS and local laws.
Installation
poetry add xbl3auth
# or
pip install xbl3auth
CLI usage
The CLI uses, in order of precedence:
--client-idflagXBL3AUTH_CLIENT_IDenvironment variable- Remote config endpoint
- Built-in default client ID
Basic usage:
python -m xbl3auth
This will:
- Resolve the effective client ID.
- Start a device code flow (you sign in in a browser).
- Store a refresh token in your OS keyring.
- Fetch an XBL3.0 token and print it to stdout:
XBL3.0 x=<uhs>;<token>
Overriding the client ID
If advanced users want to supply their own Azure app registration:
- Command-line flag
python -m xbl3auth --client-id "<your-azure-client-id>"
- Environment variable
export XBL3AUTH_CLIENT_ID="<your-azure-client-id>"
python -m xbl3auth
JSON output
python -m xbl3auth --print-json
Library usage
from xbl3auth import XblAuthConfig, Xbl3AuthService
config = XblAuthConfig() # uses remote/built-in client_id by default
service = Xbl3AuthService(config, account_id="default")
xbl3_token = service.get_xbl3_token()
print(xbl3_token)
To use a custom client ID:
config = XblAuthConfig(client_id="<your-client-id>")
Security model
- No credential files: No
email:passwordlists, no plaintext token dumps by default. - Keyring-backed: Refresh tokens are stored in the OS keyring:
- Windows Credential Manager
- macOS Keychain
- GNOME Keyring / KWallet (depending on environment)
- Short-lived tokens: XBL3.0 tokens are treated as in-memory, ephemeral values.
- Logging discipline: Library is designed so callers can log error metadata without leaking secrets.
Testing
poetry install
poetry run pytest
Tests:
- Use an in-memory secret storage backend.
- Monkeypatch HTTP requests to avoid real network calls.
- Avoid touching the real keyring.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file xbl3auth-0.1.0.tar.gz.
File metadata
- Download URL: xbl3auth-0.1.0.tar.gz
- Upload date:
- Size: 11.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.1.3 CPython/3.12.11 Windows/11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
94b7532d9725254c508c668c127b9bdda64883a48ad1c789077f97a33537cd45
|
|
| MD5 |
c471eb579dc5ba260f91b0bbb537e264
|
|
| BLAKE2b-256 |
bc3909dc712cc0117d7a76f023b8a8b79faa0656266c0f7814dbf9d33fe4fee5
|
File details
Details for the file xbl3auth-0.1.0-py3-none-any.whl.
File metadata
- Download URL: xbl3auth-0.1.0-py3-none-any.whl
- Upload date:
- Size: 15.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.1.3 CPython/3.12.11 Windows/11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ad9262d9eb0e7bff2d99eee36523b8f600a66dfb910a1066de86e17e28a5221c
|
|
| MD5 |
731ea558f084cd41c709f24c129be9bc
|
|
| BLAKE2b-256 |
1af0556160ccd9d41d953bbc5ae4c95ee2a40764bcf80e21ae6e06281c111a80
|
