Epic Account Services Developer FAQ

Frequently asked questions for developers using Epic Account API

General Questions

How do I request access to the Epic Account API? You can request credentials to access the Epic Account API at the Developer Portal.

**What do I have access to as part of the Epic Account API? You can request the following data for each user with an Epic Account:

  • Epic Account ID: A unique global identifier for users.

  • Display Name: The friendly name that the user displays to other users.

  • Friends List Users: Other users who are on the user's friends list, and who have granted permission to the same app.

  • Presence: Online presence for friends who have also granted permission to the same app.

  • Linked User Accounts: Information about accounts with other identity providers that have been linked to the user's Epic Account.

**What users can I interact with using the Epic Account API? Initially, you will only be able to interact with other users within your organization. After your application has passed review, it can be distributed to any users within the Epic ecosystem. In an upcoming update, domain verification will make your application visible, but without the other levels of verification,an "unverified warning" will display on the consent dialog when the user installs the application.

**Do I have to agree to any terms to use the Epic Account API? You must agree to the terms in the Epic Account Services Developer Agreement to submit an application to Epic Account Services. Epic will prompt you annually to re-accept these terms.

Configuration

What is the difference between an application and a client? An application** refers to a software product as understood by the user. It includes the logo, brand, and all software components related to that product.

A client refers to credentials used by a developer to access the application's data for an individual piece of software. For example, an end-user distribution of a game, a dedicated server, a website, or a mobile app related to the game could all be clients accessing the same application's data.

**How many clients can I link an application to? You can link up to 10 clients to a single application.

What permissions should I activate if I don't require any online functionality? All applications require Basic Profile permissions, as these are necessary for tracking a user's display name and ID. Otherwise, we advise that you do not use features that you do not need.

Data Privacy and Visibility

Who owns player data in Epic Account Services? Users own their own data in EAS, and may give or revoke consent for an application to use or collect data from them at any time. Epic shares their data on their behalf only once they have provided consent.

Why is the Privacy Policy URL mandatory for verifying an application with Epic Account Services? Per the Epic Account Service license agreement, we require all organizations to maintain a privacy policy that is visible to all users:

3.3 You agree to maintain a publicly available and easily accessible privacy policy that (i) complies with Privacy Laws; (ii) comprehensively, clearly, and accurately describes your Processing of Epic Account Data; and (iii) provides contact information for data protection inquiries. Your privacy policy must be consistent with this Addendum and the Agreement. You agree that you will provide an accurate link to your publicly available Privacy Policy to Epic for inclusion in the consent flow interface.

What happens if a user revokes their consent? A user can revoke consent by navigating to their Epic Games account user settings page, clicking Connections, clicking the Apps tab, and removing the application from their list. The next time they open the application it will prompt them to provide consent again.

Developers are required by the Epic Account Services license agreement to securely delete all of a user's account data upon the user's request, or upon notification from Epic that a user has requested deletion of their data. Epic is currently working on an automated solution for providing notification when a user deletes their account or otherwise revokes consent.

Is there a plan to support "optional" permissions? For example, my game has features that requires the friends list, but you could play certain modes without those features. There is currently no way to make consent optional on a feature-by-feature basis. If your application implements a feature that requires the user to provide consent, even if the feature is optional, the user must provide consent for the entire application upfront.

If a user removes an application from a device and reinstalls it, does the user have to consent again? No. Consent is only given once unless it is explicitly revoked by the user. Uninstallation of a game does not imply that the user has revoked consent.

How does the system handle an application that requests additional permissions after the user has consented to the original permissions? If additional permissions are added after the user has already installed the application, the user will be asked to consent to the new permissions before being able to login again.

Do developers get any information about user responses to permissions requests? For example, the percentage of users who got to the permissions stage and declined. If the user declines consent, the application will receive an error that the authorization request was cancelled. Epic does not track this metric.

**Does a user have to provide consent for every client? No. Consent is provided to the application on behalf of the user. Once the user consents to Epic Account Services terms, it applies to all clients associated with that application. For example, if the user consents to the Friends List and Online Status permissions for Fortnite, their consent applies to the Fortnite game client and the Fortnite web client.

Can I change the clients assigned to my application after I've set it up with Epic Account Services? Yes. You can add or remove clients from the Product page for your application on the EOS Developer Portal.

How long does it take to remove a user's data from the system? Deleting a user's data for a single product or unlinking a user account for a single identity provider is instantaneous. For deleting all of a user's data across your organization, there is a grace period of 10 days, during which the request for deletion can be canceled.

Application Brand Review

What is application brand review? All applications must pass an application brand review to verify that the application complies with our policies and is genuinely associated with your organization.

Why is application brand review required? Our primary goal with Application Brand Review is to protect users from brand spoofing, phishing, malicious applications, and malware. We also want to protect developers and brand owners from having their identities stolen within our ecosystem.

What is required for application review to pass? When you review the Epic Account Services terms and conditions for a product on the Developer Portal, you must submit several materials for review alongside your agreement, including application name, privacy policy URL, your web domain, and a logo/image for the application. Once all of these materials have been provided, the Submit button is unlocked.

These materials then undergo the following review:

  • Developer Verification: Verifies that you are who you say you are. Verification requires some form of identification such as a Business Licence, Certification of Incorporation, or TAX/VAT certificate, or personal methods such as a Passport, Government Photo ID, or Driver's License.

  • Domain Verification: We make sure that you own the provided web domain.

  • Application Brand Verification: We make sure that you own your logo or associated brands/trademarks. We also ensure that submitted materials or images do not violate any of our brand policies. There should not be any obscene or inappropriate names or images.

If you meet all of the above criteria, your application can then be verified, and all audience restrictions will be removed. In the future, this will be expanded to a multi-stage review process, where each level of verification will lift another layer of restrictions.

Can my application request the user's authorization even if it hasn't passed review? Unverified applications are only visible to users within your organization. If your application is not verified, the end user will see a dialog stating that your application is not verified and asking if they still want to continue. If the user agrees, they will then be shown the normal authorization dialog. Your application must be verified to lift the audience restriction and be publicly visible.

When I input a name for an application for a client, does it have to be a unique name? Application and client names in Epic Account Services do not need to be unique. This is to prevent "domain theft" by abusive users, who could potentially snatch obvious application names for well-known products before their actual owners create pages for them. Instead, we rely on the brand verification/review process to ensure that brands and products are legitimate.

**How does Epic respond to malicious/unauthorized duplicates? Malicious or unauthorized duplicates remain unverified, which means that they are not visible to users outside of the developers' organization. In the future we will support the following measures as well:

  • Domain Verification: False domains will be blacklisted.

  • Application Reporting: There will be a link on the consent dialog for reporting false domains.

  • Brand Review: We will verify that either the name being used is either unclaimed or owned by your organization.