Home docs switch Switch Tokens
Post

Switch Tokens

Many Switch servers use JWTs (json web tokens) for authentication. JWTs are a simple and standardized way to pass information between servers without storing it in a database. A JWT consists of three parts separated by dots, and each part is encoded with base64url.

JWTs are described formally in RFC 7515, RFC 7518 and RFC 7519.

Details on specific kinds of token:

The first part contains metadata about the JWT, such as the signature algorithm that is used.

FieldDescription
algAlgorithm: Usually RS256, but the NPLN server uses ES256.
jkuJWK Set URL: The URL of a server that provides a JWK set. This server provides the public keys that are used to verify the signature of the JWT.
kidKey ID: Selects a key from the JWK set provided by the jku server. This is a uuid v4 on Nintendo’s servers.
typType: Always JWT.

Example:

1
2
3
4
5
6
{
  "jku": "https://dcert-lp1.ndas.srv.nintendo.net/keys",
  "kid": "2567fb65-eacb-48ba-9eb0-ed815a9f1a06",
  "typ": "JWT",
  "alg": "RS256"
}

Payload

The second part contains the information that’s stored in the JWT, such as the user id. The content of the payload depends on the type of token, but the following fields are usually present:

FieldDescription
subSubject: An id that identifies what the JWT is about, such as a user id.
audAudience: An id that specifies the intended recipient of the JWT (server-side).
expExpiration Time: A timestamp that specifies the expiration date of the JWT.
iatIssued At: A timestamp that specifies the time at which the token was generated.
issIssuer: The server that generated the JWT.
jtiJWT ID: A unique id per generated JWT.

Signature

The third part contains the signature. This prevents the JWT from being modified by anyone. Nintendo uses the RS256 algorithm on most servers, but the NPLN server uses ES256 instead.

The signature is calculated over both the header and the payload in base64-encoded form with a dot in between. Only the server can generate the signature, because only the server knows the private keys. Anyone can verify the signature though, because anyone can download the public keys from the server that hosts the JWK set.

JWK Set

The JWK set contains a set of public keys that can be used to verify the signature of the JWT. It’s hosted by the server that’s specified in the jku field in the header.

Each JWK contains the following fields:

FieldDescription
ktyKey Type: Always RSA.
eExponent: The public exponent of the RSA key (base64url).
nModulus: The public modulus of the RSA key (base64url).
algAlgorithm: Always RS256.
usePublic Key Use: Always sig.
kidKey ID: A unique id that identifies the key. This id is also specified in the JWT header.

The baas server also returns the following fields:

FieldDescription
usagedeveloper or internal
x5cX.509 Certificate Chain

JWKs are described formally in RFC 7517 and RFC 7518.

Most JWKs are regenerated every 24 hours. The only exception is the JWK for BaaS access and user tokens, which never changes. To ensure that all valid tokens can be verified, even after a new JWK is generated, the JWK set contains the two previous JWKs as well.

Example

1
2
3
4
5
6
7
8
9
10
eyJqa3UiOiJodHRwczovL2RjZXJ0LWxwMS5uZGFzLnNydi5uaW50ZW5kby5uZXQva2V5cyIsImtpZCI6IjM2NzllMT
g4LTI5ZWUtNDE4Zi04ZDkwLWI3MjRjYzg1MzQ0MSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI2
ODMzN2FjYTI4ODE1Y2JiIiwiaXNzIjoiZGF1dGgtbHAxLm5kYXMuc3J2Lm5pbnRlbmRvLm5ldCIsImF1ZCI6IjhmOD
Q5YjVkMzQ3NzhkOGUiLCJleHAiOjE2MzI3NjMzMDEsImlhdCI6MTYzMjY3NjkwMSwianRpIjoiZTU5YTBiMGUtOTRl
MS00NGFhLWI1ZGItMGZjMGNmNTAyYWRhIiwibmludGVuZG8iOnsic24iOiJYQVcxMDAxMjM0NTY3OCIsInBjIjoiSE
FDIiwiZHQiOiJOWCBQcm9kIDEiLCJpc3QiOmZhbHNlfX0.Mdl42B_tWnQQZkpp0qkvEwpkAFGos1YQ8OBKDr_rJCQl
NVZLrP6_sd53U8kvwI6TWbnuxFtNxcVJh21kbbY23WsjwQN9Ph2pbjEmneov5b5SfAjWSvfEqt_ViKFQVLv_MZZXQp
BYZSQmJ3sA-BbOjeEO6JI5XI3_KR0uj9IxSH_LNSiEwMMNLkP0PcC3gO5cSKcmnb1NPW2BMMdlKOSIbxDSWE4sEuYt
2Pl_u2F6hVMVeoC-4z43lIv2tv7aF9Pwv-D7MR-mOxQaxYVHw2Ux4FL0zPZOJMU6qPgfzACeItd6H_A4OBMKSQwBl4
DEbSwdle5tph-ur01K91FhXhI6BA

DAuth Tokens

FieldValue
algRS256
jkuhttps://dcert-lp1.ndas.srv.nintendo.net/keys
kidKey id
typJWT

Payload fields:

FieldDescription
subDevice id
audClient id
expExpires at
iatIssued at
issdauth-lp1.ndas.srv.nintendo.net
jtiJWT id
nintendoDevice information

Device Information

FieldDescription
snSerial number
pcProduct code: HAC
dtDevice type: NX Prod 1
istIsT (bool)

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
    "sub": "68337aca28815cbb",
    "aud": "8f849b5d34778d8e",
    "exp": 1632763301,
    "iat": 1632676901,
    "iss": "dauth-lp1.ndas.srv.nintendo.net",
    "jti": "e59a0b0e-94e1-44aa-b5db-0fc0cf502ada",
    "nintendo": {
        "sn": "XAW10012345678",
        "pc": "HAC",
        "dt": "NX Prod 1",
        "ist": false
    }
}

AAuth Tokens

FieldValue
algRS256
jkuhttps://acert-lp1.ndas.srv.nintendo.net/keys
kidKey id
typJWT

Payload fields:

FieldDescription
subTitle id (%016x)
expExpires at
iatIssued at
issaauth-lp1.ndas.srv.nintendo.net
jtiJWT id
nintendoApplication information

Application Information

FieldDescription
aiApplication id (%016x)
avApplication version (%04x)
atApplication time (current timestamp)
ediUnique id (32 hex digits)
oppOnline play policy: MEMBERSHIP_REQUIRED or FREE

Only present if online play policy is MEMBERSHIP_REQUIRED:

FieldDescription
phPolicy handler: SYSTEM or GAME_SERVER

Only present for system titles:

FieldDescription
diDevice id
snSerial number
pcProduct code (HAC)
dtDevice type (NX Prod 1)
istIsT (bool)

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
    "sub": "0100abf008968000",
    "exp": 1632763301,
    "iat": 1632676901,
    "iss": "aauth-lp1.ndas.srv.nintendo.net",
    "jti": "82df667b-0da1-4381-87e4-1ae403c8b568",
    "nintendo": {
        "ai": "0100abf008968000",
        "av": "0007",
        "at": 1632676901,
        "edi": "b46bda4e1dd5e7ce002430a68b2c6d4e",
        "opp": "MEMBERSHIP_REQUIRED",
        "ph": "GAME_SERVER"
    }
}

BaaS Access Tokens

FieldValue
algRS256
jkuhttps://e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com/1.0.0/internal_certificates
kid3083c1b2-5d68-434b-be32-11f915570500

Payload fields:

FieldDescription
subed9e2f05d286f7b8
auded9e2f05d286f7b8
expExpires at
iatIssued at
isshttps://e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com
jtiJWT id
typAlways token
bs:grtGrant type (always 1)
bs:stsStatus (always [385])
nintendoDevice information

Device Information

FieldDescription
dtDevice type: NX Prod 1
pcProduct code: HAC
diDevice id
snSerial number
istIsT (bool)

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
    "sub": "ed9e2f05d286f7b8",
    "aud": "ed9e2f05d286f7b8",
    "exp": 1632687701,
    "iat": 1632676901,
    "iss": "https://e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com",
    "jti": "878d0735-571a-4b94-82a6-2bf183114db1",
    "typ": "token",
    "bs:grt": 1,
    "bs:sts": [385],
    "nintendo": {
        "dt": "NX Prod 1",
        "pc": "HAC",
        "di": "68337aca28815cbb",
        "sn": "XAW10012345678",
        "ist": false
    }
}

BaaS User Tokens

FieldValue
algRS256
jkuhttps://e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com/1.0.0/internal_certificates
kid3083c1b2-5d68-434b-be32-11f915570500

Payload fields:

FieldDescription
subUser id (%016x)
auded9e2f05d286f7b8
expExpires at
iatIssued at
isshttps://e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com
jtiJWT id
typAlways token
bs:grtGrant type (always 2)
bs:didDevice account id
bs:stsStatus (always [10414578180576298,272640,1,0,0,19316357715722240,16])

Example:

1
2
3
4
5
6
7
8
9
10
11
12
{
    "sub": "b4922963e6b8deb2",
    "aud": "ed9e2f05d286f7b8",
    "exp": 1644766994,
    "iat": 1644756194,
    "iss": "https://e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com",
    "jti": "aedb91a6-1cf9-4a0e-bfbd-1ccdd191b4e3",
    "typ": "token",
    "bs:grt": 2,
    "bs:did": "2ded458f5e0beee2",
    "bs:sts": [10414578180576298, 272640, 1, 0, 0, 19316357715722240, 16]
}

ID Tokens

FieldValue
algRS256
jkuhttps://e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com/1.0.0/certificates
kidKey id

Payload fields:

FieldDescription
subUser id (%016x)
audAlways ed9e2f05d286f7b8
expExpires at
iatIssued at
isshttps://e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com
jtiJWT id
typAlways id_token
bs:didDevice account id (%016x)
nintendoApplication information (only present if an aauth token is provided)

Application Information

FieldDescription
aiApplication id (%016x)
avApplication version (%04x)
atApplication time (current timestamp)
ediUnique id (copied from aauth token)

Only present if the policy handler is GAME_SERVER:

FieldDescription
phGAME_SERVER
oppMEMBERSHIP_REQUIRED
hmBool, whether the user has an NSO membership

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
    "sub": "b4922963e6b8deb2",
    "aud": "ed9e2f05d286f7b8",
    "exp": 1644766994,
    "iat": 1644756194,
    "iss": "https://e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com",
    "jti": "164eea2b-508c-47d0-9d48-9eca1cac0f56",
    "typ": "id_token",
    "bs:did": "2ded458f5e0beee2",
    "nintendo": {
        "ai": "0100abf008968000",
        "av": "0007",
        "at": 1644756194,
        "edi": "84e16d390427028b3788ef082d342ce0"
    }
}

Contents Authorization Token for AAuth

Payload fields:

FieldDescription
audTitle id (%016x)
expExpires at
iatIssued at
isslp1.dragons.nintendo.net
jtiJWT id
device_idDevice id (%016x)
contentContent information

Content Information

FieldDescription
title_idTitle id (%016x)
na_idNintendo account id (%016x)
ticket_idTicket id (integer)
is_owned_rightsBoolean

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
    "aud": "010040600c5ce000",
    "exp": 1667334879,
    "iat": 1667248479,
    "iss": "lp1.dragons.nintendo.net",
    "jti": "4df2e656-8e96-409a-8a7e-bd1dd1bbc572"
    "device_id": "62659661e3fdfe11",
    "content": {
        "title_id": "010040600c5ce000",
        "na_id": "72b0f0bdb31753d5",
        "ticket_id": 72212894349604939,
        "is_owned_rights": true
    }
}

NPLN Access Tokens

FieldValue
algES256
jkujwkSets/nplnAccessToken
kidKey id

Payload fields:

FieldDescription
subNPLN user id
expExpires at
iatIssued at
issdefault iss
nplnNPLN information

NPLN Information

FieldDescription
tidTenant id
aidNPLN account id
app_idTitle id (%016x)
ext_idExternal id (%016x)
ext_id_typeAlways 1 (meaning nsa_id_token)
authorizationAuthorization information (#authorization-information)

Authorization Information

FieldDescription
allowList of allowed services
denyList of denied services
nso_restrictedBoolean

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
    "sub":"u-qrz62qwckcdi64n2woom",
    "exp": 1669741833,
    "iat": 1669713033,
    "iss": "default iss",
    "npln": {
        "tid":"t-50e39f8f-lp1",
        "aid": "a-atqget1l7bndtkkkoq0m",
        "app_id": "01008f6008c5e000",
        "ext_id": "b4922963e6b8deb2",
        "ext_id_type": 1,
        "authorization": {
            "allow": ["nn.npln.auth.**", "**"],
            "deny": [],
            "nso_restricted": false
        },
    }
}
Contents