rlapi is a reverse engineered collection of Rocket League's internal APIs with a Go SDK. It provides a full end-to-end flow, from authentication to accessing the item shop, player stats, inventory, match history, replays, and more. This repository also contains resources for reverse engineering and analyzing Rocket League network traffic, serving as a foundation for further exploration. Not all endpoints are fully documented—do not ask about specific ones, as I probably don't know.

All contributions are welcome! If you discover new endpoints, extend the Go SDK, or add additional functionality, please submit a PR.

Refer to the godoc for detailed documentation on the Go SDK.

Comprehensive examples are available in the examples directory.

go get github.com/dank/rlapi

Rocket League authentication always goes through Epic Online Services (EOS), either via the Epic Games Store (EGS) or by exchanging a Steam session ticket for an EOS token.

This library provides full end-to-end authentication via EGS. Steam login and ticket generation are out of scope, but a method is provided to exchange a Steam session ticket for an EOS token, and users can leverage external libraries such as steam-user or Steamworks to obtain the ticket.

Traditional proxy tools like Fiddler don't work with Rocket League due to certificate pinning.

To intercept traffic, we use Frida dynamic instrumentation to hook curl functions at runtime, disabling SSL verification and redirecting API traffic to a local MITM server.

The MITM proxy forwards both HTTP and WebSocket traffic to the official servers while intercepting and logging requests and responses. Authentication responses are rewritten so the WebSocket URL points to the local server.

Rocket League initially establishes a connection with the HTTP API before transitioning to a WebSocket connection. The client sends an EOS access token via HTTP and receives session credentials, the WebSocket endpoint URL, and any tokens required for further communication. The client then connects to the WebSocket using these tokens, allowing all subsequent API calls to occur over a persistent WebSocket connection.

All API requests and responses must include a PsySig header containing a Base64-encoded HMAC-SHA256 signature. The signing keys were reverse engineered from the game binary and are XOR'd with a 4-byte pattern. To decrypt:

# Raw IDA dump
data = [0x36, 0xEA, 0x37, 0x0C, ...]  # 36 bytes total

key_bytes = [data[i] ^ data[(i % 4) + 32] for i in range(32)]

• Request Key: c338bd36fb8c42b1a431d30add939fc7
  • Format: HMAC-SHA256(key, "-" + <request body>)
• Response Key: 3b932153785842ac927744b292e40e52
  • Format: HMAC-SHA256(key, PsyTime + "-" + <response body>)

WebSocket messages require a custom HTTP-like schema with headers and JSON body:

PsyService: Matchmaking/StartMatchmaking v2
PsyRequestID: PsyNetMessage_X_1
PsyToken: authentication-token
PsySessionID: session-identifier
PsySig: request-signature
PsyBuildID: 151471783
User-Agent: RL Win/250811.43331.492665 gzip
PsyEnvironment: Prod

{"playlist_id": 10, "region": "USE"}

The message format is: headers (each ending with \r\n) followed by \r\n\r\n separator, then JSON body.

(Values may be outdated)

The HTTP API is used only for authentication and to bootstrap the WebSocket connection. Unlike before, there is no way to "downgrade" the WebSocket connection to HTTP (AFAIK).

The base URL for HTTP requests is: https://api.rlpp.psynet.gg/rpc/.

<platform>|<platform-specific account ID>|0

PsyRequestID: PsyNetMessage_X_0 
PsyBuildID: 151471783
PsyEnvironment: Prod
User-Agent: User-Agent: RL Win/250811.43331.492665 gzip (x86_64-pc-win32) curl-7.67.0 Schannel
PsySig: <HMAC signature>
Content-Type: application/x-www-form-urlencoded
        
{
  "Platform": "<platform>",
  "PlayerName": "<player name>",
  "PlayerID": "<platform account ID>",
  "Language": "INT",
  "AuthTicket": "<EOS access token>",
  "BuildRegion": "",
  "FeatureSet": "PrimeUpdate55_1", // varies by build
  "Device": "PC",
  "LocalFirstPlayerID": "<player ID>",
  "bSkipAuth": false,
  "bSetAsPrimaryAccount": true,
  "EpicAuthTicket": "<EOS auth ticket>",
  "EpicAccountID": "<Epic account ID>"
}

{
  "Result": {
    "IsLastChanceAuthBan": false,
    "VerifiedPlayerName": "<player name>",
    "UseWebSocket": true, // forcing this to false doesn't do anything
    "PerConURL": "wss://...", // unused / legacy?
    "PerConURLv2": "wss://...", // url for ws connection
    "PsyToken": "<auth token>", // used by subsequent ws requests
    "SessionID": "<session id>", // used by subsequent ws requests
    "CountryRestrictions": []
  }
}

The following is an incomplete list of WebSocket events, some events may be undocumented or partially understood.

The WebSocket endpoint URL is returned by the authentication endpoint, it is currently: wss://ws.rlpp.psynet.gg/ws/gc2.

• Challenges
  • Challenges/CollectReward v1
  • Challenges/FTECheckpointComplete v1
  • Challenges/FTEGroupComplete v1
  • Challenges/GetActiveChallenges v1
  • Challenges/PlayerProgress v1
• Clubs
  • Clubs/AcceptClubInvite v2
  • Clubs/CreateClub v1
  • Clubs/GetClubDetails v1
  • Clubs/GetClubInvites v1
  • Clubs/GetClubTitleInstances v1
  • Clubs/GetPlayerClubDetails v2
  • Clubs/GetStats v1
  • Clubs/InviteToClub v4
  • Clubs/LeaveClub v1
  • Clubs/RejectClubInvite v1
  • Clubs/UpdateClub v2
• Drop
  • Drop/GetTradeInFilters v1
• GameServer
  • GameServer/GetClubPrivateMatches v1
  • GameServer/GetGameServerPingList v2
• Matches
  • Matches/GetMatchHistory v1
• Matchmaking
  • Matchmaking/PlayerCancelMatchmaking v1
  • Matchmaking/PlayerSearchPrivateMatch v1
  • Matchmaking/StartMatchmaking v2
• Microtransaction
  • Microtransaction/ClaimEntitlements v2
  • Microtransaction/GetCatalog v1
  • Microtransaction/StartPurchase v1
• Party
  • Party/ChangePartyOwner v1
  • Party/CreateParty v1
  • Party/GetPlayerPartyInfo v1
  • Party/JoinParty v1
  • Party/KickPartyMembers v1
  • Party/LeaveParty v1
  • Party/SendPartyChatMessage v1
  • Party/SendPartyInvite v2
  • Party/SendPartyJoinRequest v1
  • Party/SendPartyMessage v1
• Players
  • Players/GetBanStatus v3
  • Players/GetCreatorCode v1
  • Players/GetProfile v1
  • Players/GetXP v1
  • Players/Report v4
• Playlists
  • Playlists/GetActivePlaylists v1
• Population
  • Population/GetPopulation v1
  • Population/UpdatePlayerPlaylist v1
• Products
  • Products/CrossEntitlement/GetProductStatus v1
  • Products/GetContainerDropTable v2
  • Products/GetPlayerProducts v2
  • Products/TradeIn v2
  • Products/UnlockContainer v2
• Regions
  • Regions/GetSubRegions v1
• Reservations
  • Reservations/JoinMatch v1
• RocketPass
  • RocketPass/GetPlayerInfo v2
  • RocketPass/GetPlayerPrestigeRewards v1
  • RocketPass/GetRewardContent v1
• Shops
  • Shops/GetPlayerWallet v1
  • Shops/GetShopCatalogue v2
  • Shops/GetShopNotifications v1
  • Shops/GetStandardShops v1
• Skills
  • Skills/GetPlayerSkill v1
  • Skills/GetPlayersSkills v1
  • Skills/GetSkillLeaderboard v1
  • Skills/GetSkillLeaderboardRankForUsers v1
  • Skills/GetSkillLeaderboardValueForUser v1
• Stats
  • Stats/GetStatLeaderboard v1
  • Stats/GetStatLeaderboardRankForUsers v1
  • Stats/GetStatLeaderboardValueForUser v1
• Tournaments
  • Tournaments/Registration/RegisterTournament v1
  • Tournaments/Registration/UnsubscribeTournament v1
  • Tournaments/Search/GetPublicTournaments v1
  • Tournaments/Search/GetSchedule v1
  • Tournaments/Status/GetCycleData v1
  • Tournaments/Status/GetScheduleRegion v1
  • Tournaments/Status/GetTournamentSubscriptions v1
• Training
  • Training/BrowseTrainingData v1
  • Training/GetTrainingMetadata v1
• Users
  • Users/CanShowAvatar v1
• Misc
  • DSR/RelayToServer v1
  • Filters/FilterContent v1
  • Metrics/RecordMetrics v1
  • Party/System
  • PsyPing