Security & data handling

Built to protect your account and GGG's API.

ExileOS uses Path of Exile's official, read-only API and OAuth login. Account login activates only once Grinding Gear Games approves the OAuth client; this is how that access is handled when it does.

Authentication & tokens

  • Official Path of Exile OAuth only, using the Authorization Code flow with PKCE (S256). ExileOS never sees or stores your GGG password.
  • Confidential client: the authorization code is exchanged for tokens server-to-server. The client secret never reaches the browser, and PKCE state/verifier live in short-lived httpOnly, secure cookies during the handshake.
  • Your PoE access and refresh tokens are stored encrypted in AWS Secrets Manager under a per-account path. Our database keeps only an opaque reference and non-sensitive metadata (scopes, expiry) — never the tokens, and never tokens in the browser.
  • After login, ExileOS issues its own short-scoped session cookie (httpOnly, secure); PoE tokens are used only by backend services.

Respecting the PoE API (rate limits)

  • A dedicated limiter reads every response’s rate-limit headers and adapts to the server-advertised limits per endpoint, which differ by policy.
  • Admission control runs against a shared token bucket, so the limit is enforced globally across all worker processes — scaling out never increases the request rate to GGG.
  • On a 429 it honors Retry-After exactly and backs off the affected policy before resuming.
  • Per-account polling is paced on a tiered schedule, and snapshots are deduplicated by content hash, so nothing is re-fetched or re-processed when nothing changed. The User-Agent follows GGG’s required format.

Data protection

  • Encryption in transit (HTTPS/TLS everywhere) and at rest (encrypted database, secrets, and object storage).
  • Least-privilege access: application roles can read only their specific secret paths; deploys use short-lived GitHub OIDC credentials, not long-lived keys.
  • Secrets are never in source control. The only Path of Exile data source is the official API; ExileOS never touches the game client or your files.

Your data, your control

  • Read-only: ExileOS never writes back to the game.
  • You authorize specific scopes and can disconnect at any time, which revokes our access and deletes the stored tokens.
  • Deletion on request hard-deletes your account records and progression snapshots. No data resale, no advertising trackers.
  • Scopes are requested incrementally — only for features that are actually built.

Questions about the integration or a security detail? Reach out at oauth@exileos.gg. See also our Privacy Policy and Terms.

This product isn’t affiliated with or endorsed by Grinding Gear Games in any way. Path of Exile is a trademark of Grinding Gear Games.