Again, I was looking at what kind of HTTP API endpoints I can access from Windows 8 that will not be protected. As you already know, a lot of data in Windows 8 is handled through the associated Live ID (read: Microsoft Account) and the traffic is SSL-secured, therefore it wouldn’t make much sense at this point for me to try intercepting it.
On the other hand, there are plenty of interesting open HTTP endpoints and today I am talking about the ones you can find in the Xbox Live app.
First of all, the application accesses endpoints that verify handled certificates and gets a Certificate Revocation List (CRL). Once that is done, the application starts looking for content.
It’s interesting that the guys responsible for this application chose to use the Windows Phone–designed assets in this case. This is the feed that is responsible for the main spotlight – the dots you see on the bottom are nothing more than separate content tiles that are rendered based on the XML returned by the above mentioned URL.
The data can look something like this:
(click to enlarge)
There are slot groups – the main highlight and the two ads on the side. All of them have a type assigned. For ads, the type is Ad and for genera highlights (e.g. games, movies, music albums) the type is Media. For each individual slot you can get the name of the content presented, its description as well as an URL to an asset that is tied to the tile.
Next stop – featured Xbox Live titles. The endpoint:
The data returned is extremely simplistic and doesn’t really provide much information beyond the name of the title and its ID. A single XML slot will look like this:
All I need here is the ID itself, and I can get even more metadata with the next endpoint – the game details one. Now I am talking directly to the Marketplace server (substitute the game ID with any other valid GUID that is associated with an XBL title):
If you are not familiar with JSON yet, then you probably should probably start learning it because the returned game information is all in JSON. Thanks to this online JSON formatter and validator, I was able to have a visually appealing representation of various item details.
Using the GUID from above, which, by the way, is for Call of Duty: Black Ops, I got the following information:
- Game ID
- Image (large box art - http://download.xbox.com/content/images/66acd000-77fe-1000-9115-d80241560855/1033/boxartlg.jpg)
- Image (background - http://download.xbox.com/content/images/66acd000-77fe-1000-9115-d80241560855/1033/background.jpg)
- Download type
- A list of genres it falls in
- Developer studio
- Original release date
- Content rating (ESRB)
- An URL to an ASX trailer stream
- A list of game screenshots
- URL for game details
- A list of potential child download types (e.g. demo, add-ons, avatar items)
- A full representation of each child download
- Price for Gold members
- Price for Silver members
For each child download, you also get an ID that can be used with the game details endpoint. For example, the Annihilation Burger Man Multiplayer Trailer has the ID value equal to a85e5b4f-360b-47b1-a44f-9ba06343275e. I can easily use this URL to get this item’s details, even though by itself it is not a separate XBL title:
Other URL endpoints are not exactly interesting because those do not offer public metadata. A good fit in this category would be the Manifest service, that returns avatar-specific manifests before one is rendered. The URL is:
Where gt is a parameter that represents the desired gamertag.
Overall, these endpoints might be useful for small applications that aggregate XBL open XBL data as a part of their own user experience. For example, it can be used in a game recommendation engine, or integrated with an application that promotes XBL titles and content.