Home docs switch Device Authentication (DAuth)
Post

Device Authentication (DAuth)

URL: https://dauth-lp1.ndas.srv.nintendo.net

Many Switch servers can only be accessed after obtaining a token from the dauth server. The dauth server only accepts requests with a valid client certificate. Every Switch has its own client certificate, which stored in PRODINFO.

Because the certificate is signed by Nintendo there is only one way to get a valid certificate: buy a Switch and dump it.

The dauth server takes form-encoded requests and responds with json-encoding. It uses base64url, and the client does not add any padding characters.

Headers

Up to 17.0.1:

HeaderDescription
Hostdauth-lp1.ndas.srv.nintendo.net
User-AgentUser agent
Accept*/*
X-Nintendo-PowerStateFA (fully awake) or HA (half awake) (7.0.0 and later, see note below)
Content-LengthContent length
Content-Typeapplication/x-www-form-urlencoded

The X-Nintendo-PowerState header is only present on system version 7.0.0 and later. In 7.0.0, there is a space between X-Nintendo-PowerState and the colon. This was fixed in 7.0.1.

Between 18.0.0 and 19.0.1, the user agent is no longer present and the headers are reordered:

HeaderDescription
Hostdauth-lp1.ndas.srv.nintendo.net
Accept*/*
Content-Typeapplication/x-www-form-urlencoded
X-Nintendo-PowerStateFA (fully awake) or HA (half awake)
Content-LengthContent length

In 20.0.0 and later, the user agent is back again, between the Accept and Content-Type headers:

HeaderDescription
Hostdauth-lp1.ndas.srv.nintendo.net
Accept*/*
User-AgentUser agent
Content-Typeapplication/x-www-form-urlencoded
X-Nintendo-PowerStateFA (fully awake) or HA (half awake)
Content-LengthContent length

User Agents

System VersionUser agent
1.0.0libcurl (nnAccount; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 0.16.29.0; Add-on 0.11.29.0)
2.0.0 - 2.3.0libcurl (nnAccount; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 1.3.0.0; Add-on 1.3.0.0)
3.0.0 - 3.0.2libcurl (nnAccount; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 3.4.0.0; Add-on 3.4.0.0)
4.0.0 - 4.1.0libcurl (nnAccount; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 4.4.0.0; Add-on 4.4.0.0)
5.0.0 - 5.1.0libcurl (nnDauth; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 5.3.0.0; Add-on 5.3.0.0)
6.0.0 - 6.1.0libcurl (nnHttp; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 6.4.0.0; Add-on 6.4.0.0)
6.2.0libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 6.4.0.0)
7.0.0 - 7.0.1libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 7.3.0.0)
8.0.0libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 8.2.99.0)
8.0.1 - 8.1.1libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 8.2.0.0)
9.0.0 - 9.2.0libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 9.3.0.0)
10.0.0 - 10.2.0libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 10.4.0.0)
11.0.0 - 11.0.1libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 11.4.0.0)
12.0.0 - 12.1.0libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 12.3.0.0)
13.0.0libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 13.3.0.0)
13.1.0 - 13.2.1libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 13.4.0.0)
14.0.0 - 14.1.2libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 14.3.0.0)
15.0.0 - 15.0.1libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 15.3.0.0)
16.0.0 - 16.1.0libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 16.2.0.0)
17.0.0 - 17.0.1libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 17.5.0.0)
20.0.0 - 20.0.1libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 20.5.4.0)

No user agent is present between system version 18.0.0 and 19.0.1.

Methods

In API version 3 and later, one must perform a cryptographic challenge to obtain a device token or edge token:

The following methods return a device token as JWT:

The following methods return a different kind of device token:

System Versions

SystemAPI
1.0.0 - 3.0.0v1
3.0.1 - 4.1.0v2
5.0.0 - 6.1.0v3
6.2.0v4
7.0.0 - 8.1.1v5
9.0.0 - 12.1.0v6
13.0.0 - 19.0.1v7
20.0.0 - 20.0.1v8

API Changes

APIChangelog
v1Initial version.
v2The API path is obfuscated with random hex string.
v3The challenge was added and the format of the system version parameter was changed. Device authentication now requires knowledge of the master key, and the client can no longer fake an unreleased system version. Also, the edge_token route was added.
v4The prefix of the system version digest was changed.
v5The X-Nintendo-PowerState header was added. The API path is no longer obfuscated.
v6The ist parameter was added.
v7The vendor_id parameter was added to the edge token request.
v8The token endpoints were renamed and now allow the client to request multiple tokens at once

Challenge Request

ParamDescription
key_generationMaster key revision

Response:

FieldDescription
challengeBase64-encoded challenge (35 bytes)
dataBase64-encoded AES key required for MAC calculation (16 bytes)

The data value never changes, but it depends on the given key generation. It is even consistent across environments. The challenge value is valid for one minute.

The challenge field used to contain 32 unknown bytes. However, at the end of 2024, the challenge was updated and contains the following 35 bytes instead:

OffsetSizeDescription
0x01Always 2
0x14Timestamp
0x51Always 0 or 2
0x629Unknown

Since the challenge is treated as an opaque piece of data, no changes were needed on the client side.

At the same time, the server stopped adding base64 padding to the challenge and data fields.

Device Token Request

This method returns a device token as JWT.

Version 1 - 2

ParamDescription
client_idApplication-specific client id
system_versionSystem version (%08x)

Response on success:

FieldDescription
expires_inExpiration in seconds (86400)
device_auth_tokenDevice token

Version 3 - 5

A challenge was added and the format of the system version parameter was changed:

ParamDescription
challengeBase64-encoded challenge
client_idApplication-specific client id
key_generationMaster key revision
system_versionSystem version digest
macBase64-encoded AES-CMAC of all previous fields in form-encoding

The key for the AES-CMAC is calculated as follows, using AES-ECB:

  1. The aes_kek_generation_source is decrypted with the master key.
  2. The dauth key source is decrypted with the key from step 1.
  3. The key from the data field of the challenge is decrypted with the key from step 2.

The dauth key source is: 8be45abcf987021523ca4f5e2300dbf0

Version 6 - 7

An ist parameter was added:

ParamDescription
challengeBase64-encoded challenge
client_idApplication-specific client id
isttrue or false (depends on platform region)
key_generationMaster key revision
system_versionSystem version digest
macBase64-encoded AES-CMAC of all previous fields in form-encoding

Version 8

The endpoint now accepts a JSON body instead of form-encoding, and allows the client to request multiple tokens at once:

FieldDescription
system_versionSystem version in hexadecimal (e.g. 00140001 for 20.0.1)
fw_revisionSystem version hash (hex string)
isttrue or false (depends on platform region)
token_requestsList of token requests
key_generationMaster key revision
challengeBase64-encoded challenge
macBase64-encoded AES-CMAC of all previous fields in form-encoding. The fields are encoded in the following order: challenge, fw_revision, ist, key_gneration, system_version and token_requests. The token_requests field is encoded with JSON without whitespace and without percent-encoding any characters.

Every token request is a dictionary with one or two fields:

FieldDescription
client_idClient id
vendor_idakamai, llnw, lumen, fastly or cloudflare (only present in edge token requests)

Response on success:

FieldDescription
resultsList of token results

Every token result contains the following fields:

FieldDescription
client_idClient id from request
device_auth_tokenDevice token
expires_inExpiration in seconds (86400)

Edge Token Request

This method returns a different kind of device token. Up to v6, it takes the same parameters as /device_auth_token.

Response on success:

FieldDescription
expires_inExpiration in seconds (86400)
dtokenEdge token

Version 7

A vendor_id parameter was added:

ParamDescription
challengeBase64-encoded challenge
client_idApplication-specific client id
isttrue or false (depends on platform region)
key_generationMaster key revision
system_versionSystem version digest
vendor_idakamai, llnw or lumen
macBase64-encoded AES-CMAC of all previous fields in form-encoding

Version 8

The request is the same as the /device_auth_tokens request, except that a vendor_id field is present next to each client id. The response contains a results array, where every element contains the following fields:

FieldDescription
client_idClient id from request
vendor_idVendor id from request
dtokenEdge token
expires_inExpiration in seconds (86400)

Master Key Revisions

System versionKey generation
5.0.0 - 5.1.05
6.0.0 - 6.1.06
6.2.07
7.0.0 - 8.0.18
8.1.0 - 8.1.19
9.0.0 - 9.0.110
9.1.0 - 12.1.011
13.0.0 - 13.2.113
14.0.0 - 14.1.214
15.0.0 - 15.0.115
16.0.0 - 16.1.016
17.0.0 - 18.1.017
19.0.0 - 19.0.119
20.0.0 - 20.0.120

Known Client IDs

Device tokens:

Client IDDescription
146c8ac7b8a0db52SCSI storage
16e96f76850156d1Crash reports
6ac5a6873fe5f68cSATA storage
75fe236362ff5f8bNintendo account applet
81333c548b2e876dNintendo account API
83b72b05dc3278d7NPNS
8f849b5d34778d8eAAuth and BaaS
93af0acb26258de9Beach and Bugyo
bad8156f44ac935aSProfile
d5b6cac2c1514c56Dragons and Vermillion
dc656ea03b63cf68Parental controls
df51c436bc01c437Prepo
e58171fe439390cePenne

Edge tokens:

Client IDDescription
146c8ac7b8a0db52SCSI storage
3117b250cab38f45Atum and IDBE
41f4a6491028e3c4Pushmo and Tagaya
67bf9945b45248c6BCAT
93af0acb26258de9Beach and Bugyo
d98185acb55994b4SCSI policy

Errors

On error, the server sends the following response:

FieldDescription
errorsList of errors

Every error is encoded like this:

FieldDescription
codeError code (string with 4 digits)
messageError message

Known Errors

For more detailed descriptions, see below.

Most errors use HTTP status code 400. The only known exception is error 0009, which uses status code 500.

CodeMessage
0004Unauthorized device.
0007System update is required.
0008Device has been banned.
0009Internal Server Error.
0010?
0011?
0013?
0014Invalid parameter in request.
0015Invalid parameter in request.
0016Invalid parameter in request.
0017This device might be broken.
0018?
0019?
0020?
0021?
0022?
0023?
0024?
0025?
0026?
0027?
0028?
0029?
0030?
0031?
CodeDescription
0004The device certificate belongs to a different environment.
0007A system update is required.
0008The device is banned permanently.
0009An internal server error has occurred.
0014Generic error.
0015The challenge has expired.
0016The MAC is wrong.
0017The device is banned.

Examples

Note that the client must always use a valid device certificate as the client certificate. If the client does not provide a certificate, the nginx server used to reject the request:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
HTTP/1.1 400 Bad Request
Server: nginx
Date: Sun, 26 Sep 2021 19:21:43 GMT
Content-Type: text/html
Content-Length: 246
Connection: close

<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>

Nowadays, the server terminates the connection immediately after the TLS handshake instead.

Before anything else, one must obtain a challenge:

1
2
3
4
5
6
7
8
9
POST /v7/challenge HTTP/1.1
Host: dauth-lp1.ndas.srv.nintendo.net
User-Agent: libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 13.3.0.0)
Accept: */*
X-Nintendo-PowerState: FA
Content-Length: 17
Content-Type: application/x-www-form-urlencoded

key_generation=13
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Sep 2021 19:21:43 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Vary: Accept
ETag: W/"eb797bb39b7f70a033c7bbd5020bf9f0"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: b1afb7d0-b6d9-4eff-8561-0159c97cdf58
X-Runtime: 0.009675
X-Nintendo-Used-Directive: global auth
X-Nintendo-Request-Host-Header: dauth-lp1.ndas.srv.nintendo.net
X-Nintendo-Request-SNI: dauth-lp1.ndas.srv.nintendo.net

{"challenge":"mtAvqNqzYSoCEixxL_rjWoHfdDjAH51h5XcKZ6ksq2s=","data":"1OikFLkHptkhDpqy7VHb3g=="}

Then, one can obtain a device token:

1
2
3
4
5
6
7
8
9
POST /v7/device_auth_token HTTP/1.1
Host: dauth-lp1.ndas.srv.nintendo.net
User-Agent: libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 13.3.0.0)
Accept: */*
X-Nintendo-PowerState: FA
Content-Length: 211
Content-Type: application/x-www-form-urlencoded

challenge=mtAvqNqzYSoCEixxL_rjWoHfdDjAH51h5XcKZ6ksq2s=&client_id=8f849b5d34778d8e&ist=false&key_generation=13&system_version=CusHY#000d0000#r1xneESd4PiTRYIhVIl0bK1ST5L5BUmv_uGPLqc4PPo=&mac=AW9LE1TSN0xrzY1FfHHXwg
1
2
3
4
5
6
7
8
9
10
11
12
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Sep 2021 19:21:43 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
...
X-Nintendo-Used-Directive: global auth
X-Nintendo-Request-Host-Header: dauth-lp1.ndas.srv.nintendo.net
X-Nintendo-Request-SNI: dauth-lp1.ndas.srv.nintendo.net

{"expires_in":86400,"device_auth_token":"eyJqa3UiOiJodHRwczovL2RjZXJ0LWxwMS5uZGFzLnNydi5uaW50ZW5kby5uZXQva2V5cyIsImtpZCI6IjM2NzllMTg4LTI5ZWUtNDE4Zi04ZDkwLWI3MjRjYzg1MzQ0MSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI2ODMzN2FjYTI4ODE1Y2JiIiwiaXNzIjoiZGF1dGgtbHAxLm5kYXMuc3J2Lm5pbnRlbmRvLm5ldCIsImF1ZCI6IjhmODQ5YjVkMzQ3NzhkOGUiLCJleHAiOjE2MzI3NjMzMDEsImlhdCI6MTYzMjY3NjkwMSwianRpIjoiZTU5YTBiMGUtOTRlMS00NGFhLWI1ZGItMGZjMGNmNTAyYWRhIiwibmludGVuZG8iOnsic24iOiJYQVcxMDAxMjM0NTY3OCIsInBjIjoiSEFDIiwiZHQiOiJOWCBQcm9kIDEiLCJpc3QiOmZhbHNlfX0.Mdl42B_tWnQQZkpp0qkvEwpkAFGos1YQ8OBKDr_rJCQlNVZLrP6_sd53U8kvwI6TWbnuxFtNxcVJh21kbbY23WsjwQN9Ph2pbjEmneov5b5SfAjWSvfEqt_ViKFQVLv_MZZXQpBYZSQmJ3sA-BbOjeEO6JI5XI3_KR0uj9IxSH_LNSiEwMMNLkP0PcC3gO5cSKcmnb1NPW2BMMdlKOSIbxDSWE4sEuYt2Pl_u2F6hVMVeoC-4z43lIv2tv7aF9Pwv-D7MR-mOxQaxYVHw2Ux4FL0zPZOJMU6qPgfzACeItd6H_A4OBMKSQwBl4DEbSwdle5tph-ur01K91FhXhI6BA"}

Or an edge token:

1
2
3
4
5
6
7
8
9
POST /v7/edge_token HTTP/1.1
Host: dauth-dd1.ndas.srv.nintendo.net
User-Agent: libcurl (nnDauth; 16f4553f-9eee-4e39-9b61-59bc7c99b7c8; SDK 13.3.0.0)
Accept: */*
X-Nintendo-PowerState: FA
Content-Length: 228
Content-Type: application/x-www-form-urlencoded

challenge=mtAvqNqzYSoCEixxL_rjWoHfdDjAH51h5XcKZ6ksq2s=&client_id=67bf9945b45248c6&ist=false&key_generation=13&system_version=CusHY#000d0000#r1xneESd4PiTRYIhVIl0bK1ST5L5BUmv_uGPLqc4PPo=&vendor_id=akamai&mac=8HKiiCC5Zqp3zxut8sSWZw
1
2
3
4
5
6
7
8
9
10
11
12
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Sep 2021 19:21:43 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
...
X-Nintendo-Used-Directive: global auth
X-Nintendo-Request-Host-Header: dauth-dd1.ndas.srv.nintendo.net
X-Nintendo-Request-SNI: dauth-dd1.ndas.srv.nintendo.net

{"expires_in":86400,"dtoken":"exp=1632763301~acl=%2F%2A~data=sub=68337aca28815cbb.sn=XAW10012345678.id=a73ff2b9-e772-4dc6-a01e-0861227bd202~hmac=bb7c0f27edddeb50777ec6a2fba6deacd8b8fc04faeaaaa864027c54767dea6c"}

Example of an error response:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
HTTP/1.1 400 Bad Request
Server: nginx
Date: Sun, 26 Sep 2021 19:21:43 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Vary: Accept
Cache-Control: no-cache
X-Request-Id: 84a8a661-a312-480a-b389-35cf83106b51
X-Runtime: 0.007699

{"errors":[{"code":"0014","message":"Invalid parameter in request."}]}
Contents