Skip to main content

Terminology

Cookies

Cookies are small pieces of data stored by the browser and automatically sent with requests to the server when you a visit a page. The seaofthieves.com primarily uses cookies for the following purposes:
  • Identify your currently logged in account
  • Persist your current login session across visits
  • Store your personal security and privacy preferences
In this context, Mercia’s Quill will access your authentication cookies to impersonate both GET and POST/PUT requests as you.

React Context

APP_PROPS is a page-level JavaScript variable embedded into every page’s script tags when using React contexts. The seaofthieves.com primarily uses React contexts for the following:
  • Storing quick access to your currently logged in account data
  • Storing and updating your CSRF token
In this context, Mercia’s Quill will access your csrf token through the APP_PROPS context variable to impersonate POST/PUT requests as you.

JSON Web Encryption

JSON Web Encryption (JWE) is a standard for securely transmitting encrypted data. The seaofthieves.com primarily uses JWEs for the following:In this context, Mercia’s Quill will access your rat JWE to impersonate both any requests as you.

Authentication Values

RAT Token

GET POST PUT DELETE The rat cookie is the primary authentication method of authentication for the seaofthieves.com website and its internal APIs. This token is automatically included in requests to the Sea of Thieves API via cookies and is required for accessing all login-protected endpoints. This token is the only value required to generate all other authentication values listed below so it essential to keep safe.
The RAT token is essentially a password that will bypass all secondary security methods and allow full control over your account until your password is reset, or the token expires in 6 days.

User-Agent

GET POST PUT DELETE The User-Agent is a value generated at runtime by your browser and is used to identify your device type and data. To mimic a request made from a real device, this value is copied from your browser’s headers.
  • Format: Plain Text
  • Stored as: Generated headers

AWFS Token

POST PUT DELETE The awfs cookie is a value that is connected to your CSRF token. Its true intended purpose is internal and publicly unknown.
  • Format: Plain Text
  • Stored as: awfs cookie

CSRF Token

POST PUT DELETE The csrf page prop is a value made to prevent cross-site request forgery attacks. This is meant to ensure that 3rd parties cannot mimic a client-side button / form to change your data. (Mercia’s Quill will override this)
Mercia’s Quill will never use this token or attempt to mimic a POST/PUT request using your credentials unless explicitly prompted by you.

Example Requests

get_request_example.sh
curl 'https://www.seaofthieves.com/api/endpoint' \
  -H 'Cookie: rat=...; \
  -H 'User-Agent: Mozilla/5.0'
put_request_example.sh
curl 'https://www.seaofthieves.com/api/endpoint' \
  -H 'Cookie: rat=...; awfs=...' \
  -H 'User-Agent: Mozilla/5.0' \
  -H 'X-CSRF-Token': ....'