POST (/users/{requestorId}/permission/validate)
Gets a set of yes-or-no answers about whether the user is allowed to perform specified actions with a set of target users.
- Remarks
- URI parameters
- Authorization
- Required Request Headers
- Request body
- HTTP status codes
- Required Response Headers
- Response body
Remarks
The request body takes a list of users and a list of settings, and the result is an allowed/blocked result for each user/setting pair.
In cross-network multiplayer scenarios (where privacy communications checks must be performed between users that have an Xbox User ID (XUID) and off-network users that do not), please refer to PermissionCheckBatchRequest (JSON) for User types.
URI parameters
| Parameter | Type | Description |
|---|---|---|
| requestorId | string | Required. Identifier of the user performing the action. The possible values are xuid({xuid}) and me. This must be a logged-in user. Example value: xuid(0987654321). |
Authorization
| Authorization claims used | Claim | Type | Required? | Example value |
|---|---|---|---|---|
| Xuid | 64-bit signed integer | yes | 1234567890 |
Required Request Headers
| Header | Type | Description |
|---|---|---|
| Authorization | string | Authentication credentials for HTTP authentication. Example values: XBL3.0 x=<userhash>;<token> |
| X-RequestedServiceVersion | string | Build name/number of the Xbox LIVE service to which this request should be directed. The request will only be routed to that service after verifying the validity of the header, the claims in the auth token, etc. Example value: 1. |
Request body
Required members
See PermissionCheckBatchRequest (JSON).
{
"users":
[
{"xuid":"12345"},
{"xuid":"54321"}
],
"permissions":
[
"ViewTargetGameHistory",
"ViewTargetProfile"
]
}
HTTP status codes
The service returns one of the status codes in this section in response to a request made with this method on this resource. For a complete list of standard HTTP status codes used with Xbox Live Services, see Standard HTTP status codes.
| Code | Reason phrase | Description |
|---|---|---|
| 200 | OK | The session was successfully retrieved. |
| 400 | The request is invalid. | Examples: incorrect setting IDs, incorrect URIs, etc. |
| 404 | The user specified in the URI does not exist. | The specified resource could not be found. |
Required Response Headers
| Header | Type | Description |
|---|---|---|
| Content-Type | string | The MIME type of the body of the request. Example value: application/json |
| Content-Length | string | The number of bytes being sent in the response. Example value: 34 |
| Cache-Control | string | Polite request from the server to specify caching behavior. Example: no-cache, no-store |
Response body
See PermissionCheckBatchResponse (JSON).
Sample response
{
"responses":
[
{
"user": {"xuid":"12345"},
"permissions":
[
{
"isAllowed":true
},
{
"isAllowed":true
}
]
},
{
"user": {"xuid":"54321"},
"permissions":
[
{
"isAllowed":false,
"reasons":
[
{"reason":"NotAllowed"}
]
},
{
"isAllowed":false,
"reasons":
[
{"reason":"PrivilegeRest", "restrictedSetting":"AllowProfileViewing"}
]
}
]
}
]
}