How VLGG uses the Riot API

A complete description of what data we request, why we request it, and how we handle it — written for Riot’s API review and for any user who wants to know the same.

1. What VLGG is

VLGG is an iOS application that lets a VALORANT player view detailed analytics for their own matches. After signing in with Riot Sign On (RSO), the app retrieves the player’s match history through the Riot Public API and displays per-round, per-side, and per-weapon breakdowns that are not available in the in-game scoreboard. The app does not display data about any player other than the signed-in user.

2. Riot Public APIs used

• ACCOUNT-V1 — to resolve the signed-in user’s PUUID and Riot ID (gameName#tagLine).
• VAL-MATCH-V1 — to fetch the user’s match list and individual match details.
• VAL-RANKED-V1 — for public competitive leaderboards.
• VAL-CONTENT-V1 — for static metadata (agents, maps, seasons).
• VAL-STATUS-V1 — for game service status.

3. Data flow

1. The user taps “Sign in with Riot” in the iOS app.
2. The app opens an ASWebAuthenticationSession to auth.riotgames.com.
3. Riot redirects to our Cloudflare Worker callback at https://api.vlgg.net/auth/rso/callback.
4. The Worker exchanges the OAuth code for tokens server-side. The Riot client secret never reaches the device.
5. The Worker resolves the user’s PUUID, Riot ID, and active VAL shard.
6. The Worker issues a self-signed 7-day JWT, and the iOS app stores it in the iOS Keychain.
7. For subsequent requests, the app calls /me/matches, /me/matches/:id, and /public/leaderboard with the JWT.
8. The Worker calls the Riot Public API on the user’s behalf using the user’s RSO refresh token (encrypted at rest with AES-GCM).

4. Policy compliance

• No scouting. The app cannot look up arbitrary players. Only the signed-in user’s own matches are visible.
• No real-time competitive edge. The app does not surface live in-game data; only completed match history is shown.
• No in-game overlay. The app is a standalone iOS app — no overlay, no automation, no game-client integration.
• RSO opt-in only. Users must explicitly authorize the app via Riot Sign On. Without authorization, only public ranked leaderboards (also via the official API) are visible.
• No third-party data sales. Riot data is never sold to or shared with parties other than Firebase (anonymized crash and analytics) and AdMob (ad-impression data, with ATT consent for IDFA).

5. Security

• RSO refresh tokens are encrypted at rest with AES-GCM (256-bit key) in our Cloudflare D1 database.
• The OAuth code-for-token exchange happens server-side; the Riot client_secret is never embedded in the iOS app.
• Self-issued session tokens are signed with HS256, expire after 7 days, and are revocable.
• The iOS app stores its session JWT in the iOS Keychain (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly).
• The Riot redirect uses Universal Links — not a custom URL scheme — to prevent callback hijacking.
• Per-user rate limiting is enforced server-side.
• PUUIDs are SHA-256 hashed (first 8 hex chars only) before being written to logs.

6. Data retention & deletion

• Match data fetched from Riot is cached in our D1 database for performance and is treated as immutable (matches do not change after they end).
• Refresh tokens are deleted upon user logout. Session tokens are revoked.
• Users may request full data deletion at any time by emailing soopoly.dev@gmail.com. We respond within 24 hours.

7. Developer

• Developer: soopoly
• Contact: soopoly.dev@gmail.com
• Website: https://vlgg.net
• API key holder: the same developer; production key applied for under the same identity.