PocketPass API

Read and write PocketPass user data with their permission. Access is controlled via OAuth 2.0.

https://pocketpass.xyz/functions/v1/api-v1

Overview

The PocketPass API gives third-party apps access to user profiles, encounter history, friend lists, leaderboards, and more. All requests require an OAuth access token scoped to the data you need.

The API follows REST conventions: JSON request/response bodies, standard HTTP methods, and meaningful status codes.

Authentication

1. Register your app

Go to the Developer Dashboard, sign in, and create an app. You'll receive a client_id and client_secret.

2. Redirect user to authorize

// Send the user here
https://dev.pocketpass.xyz/authorize
  ?client_id=YOUR_CLIENT_ID
  &scopes=read:profile,read:encounters
  &redirect_uri=https://yourapp.com/callback

The user logs in and approves the requested scopes, then gets redirected back with an authorization code:

https://yourapp.com/callback?code=AUTH_CODE

3. Exchange code for token

POST https://pocketpass.xyz/functions/v1/api-token

{
  "client_id": "your_client_id",
  "client_secret": "your_client_secret",
  "code": "AUTH_CODE"
}

Response:

{
  "access_token": "abc-123-...",
  "token_type": "Bearer",
  "expires_in": 2592000,
  "scopes": ["read:profile", "read:encounters"]
}

Tokens expire after 30 days. Re-authorize the user to get a new one.

PKCE (recommended for public clients)

For mobile apps and SPAs, use PKCE to prevent authorization code interception:

// 1. Generate code_verifier (random 43-128 char string)
// 2. Compute code_challenge = base64url(SHA-256(code_verifier))
// 3. Add code_challenge to authorize URL
?client_id=...&scopes=...&code_challenge=HASH

// 4. Include code_verifier in token exchange
{ "code_verifier": "ORIGINAL", ... }

State parameter

Pass a random state value in the authorize URL. It's returned in the redirect so you can verify the response.

4. Make API calls

GET /me
Authorization: Bearer YOUR_ACCESS_TOKEN

Scopes

Scope	Access
`read:profile`	Name, avatar, origin, age, greeting, mood, games, friend code, stats
`read:encounters`	Encounter history with other users
`read:friends`	Friend list with basic profile info
`read:leaderboard`	Global leaderboard rankings
`read:spotpass`	SpotPass items and active events
`write:profile`	Update greeting and mood
`write:messages`	Send messages to friends

Profile

GET /me read:profile

Returns the authorized user's profile.

{
  "id": "312c8f81-ae71-...",
  "user_name": "simply0004",
  "avatar_hex": "AwEA...",
  "greeting": "Hello!",
  "mood": "HAPPY",
  "origin": "Sweden",
  "age": "18",
  "hobbies": "Gaming",
  "is_male": true,
  "friend_code": "56814231",
  "selected_games": ["Animal Crossing", "Mario Kart"],
  "token_balance": 42,
  "puzzle_progress": { ... }
}

PUT /profile write:profile

Update the user's greeting or mood. Only the fields you send are updated.

{
  "greeting": "Hey there!",
  "mood": "EXCITED"
}

Valid moods: HAPPY, SAD, EXCITED, SLEEPY, ANGRY, COOL, SHY, CONFUSED

Avatar

GET /me/avatar read:profile

Returns the user's Piip as a PNG image.

Param	Default	Description
`width`	270	Image width: 128, 256, or 512
`type`	face	`face`, `face_body`, or `all_body`

Response: image/png binary data.

// Embed in HTML
<img src="https://pocketpass.xyz/functions/v1/api-v1/me/avatar?width=256" />

// Fetch with token
fetch('/me/avatar?width=128', {
  headers: { 'Authorization': 'Bearer TOKEN' }
})

GET /avatar/:userId read:profile

Returns any user's Piip avatar by their user ID. Same query params as /me/avatar.

Encounters

GET /encounters read:encounters

Returns the user's encounter history, sorted newest first.

Param	Default	Description
`limit`	50	Max 100
`offset`	0	Pagination offset

[
  {
    "other_user_id": "uuid",
    "other_user_name": "Nashi",
    "other_user_avatar_hex": "AwEA...",
    "origin": "Japan",
    "greeting": "Hello!",
    "meet_count": 3,
    "timestamp": 1711152000000
  }
]

Friends

GET /friends read:friends

Returns the user's accepted friends with basic profile info.

[
  {
    "id": "uuid",
    "user_name": "Bubbleeey",
    "avatar_hex": "AwEA...",
    "origin": "UK",
    "greeting": "Hi!",
    "mood": "HAPPY",
    "friend_code": "08375706"
  }
]

Leaderboard

GET /leaderboard read:leaderboard

Returns global leaderboard rankings.

Param	Default	Description
`sort`	total_encounters	Sort field (see below)
`limit`	50	Max 100

Sort options: total_encounters, unique_encounters, unique_regions, puzzles_completed, achievements_unlocked

[
  {
    "user_id": "uuid",
    "user_name": "xevylicious",
    "avatar_hex": "AwEA...",
    "total_encounters": 247,
    "unique_encounters": 189,
    "unique_regions": 14,
    "puzzles_completed": 8,
    "achievements_unlocked": 12
  }
]

SpotPass

GET /spotpass read:spotpass

Returns all published SpotPass items (puzzle panels and events).

[
  {
    "id": "uuid",
    "type": "puzzle_panel",
    "title": "Castle Collection",
    "description": "A medieval castle puzzle",
    "panel_image_url": "https://...",
    "published_at": "2026-03-20T12:00:00Z",
    "expires_at": null
  },
  {
    "id": "uuid",
    "type": "event",
    "title": "Double Token Weekend",
    "event_effect": "{\"type\":\"token_multiplier\",\"value\":2}",
    "published_at": "2026-03-25T00:00:00Z",
    "expires_at": "2026-03-27T00:00:00Z"
  }
]

Messages

POST /messages write:messages

Send a message to a friend. The receiver must be in the user's friend list.

{
  "receiver_id": "friend-uuid",
  "content": "Hello from the API!"
}

Returns 201 Created on success.

Error Codes

Status	Meaning
`400`	Bad request — missing fields or invalid data
`401`	Missing or invalid access token
`403`	Token doesn't have the required scope
`404`	Endpoint or resource not found
`429`	Rate limited
`500`	Server error

Error responses include a JSON body:

{
  "error": "Token does not have the required scope: read:friends"
}

Rate Limits

60 requests per minute per access token. Exceeding this returns 429 with a Retry-After header.

Data Models

Profile

Field	Type	Description
`id`	UUID	User ID
`user_name`	string	Display name
`avatar_hex`	string	Piip data (base64 studio encoding)
`greeting`	string	Personal greeting shown on encounter
`mood`	string	Current mood emoji
`origin`	string	Home region/country
`age`	string	Age (user-set)
`hobbies`	string	Hobbies/interests
`is_male`	boolean	Gender for Piip body type
`friend_code`	string	8-digit friend code
`selected_games`	JSON	List of favorite games
`token_balance`	integer	Current token count

Encounter

Field	Type	Description
`other_user_id`	UUID	Encountered user's ID
`other_user_name`	string	Their display name
`other_user_avatar_hex`	string	Their Piip data
`origin`	string	Their home region
`greeting`	string	Their greeting at time of encounter
`meet_count`	integer	Times met this person
`timestamp`	long	Unix epoch millis

Leaderboard Entry

Field	Type	Description
`user_id`	UUID	User ID
`user_name`	string	Display name
`total_encounters`	integer	Total encounters (including repeats)
`unique_encounters`	integer	Unique people met
`unique_regions`	integer	Distinct regions encountered
`puzzles_completed`	integer	Puzzle panels completed
`achievements_unlocked`	integer	Achievements earned