JSON endpoints for the realm's public-facing data — current online roster, rated PvP leaderboards, character profiles. Open to any origin (CORS *), no auth, modestly cached. Build a Discord bot, a streamer overlay, an external tracker — all welcome.
Snapshot of all characters currently online. The top-level online_count is the realm-wide total (not the page); characters[] is capped by limit (default 100, max 500), highest level first.
limit — integer, 1..500, default 100The latest published news. Always returns the most recent 3 posts (newest first) in posts[]; latest is the most recent one.
Top-N rated PvP ladder for the bracket, current season. Bots excluded. Returns the current season number in the response so you can attach it to your output.
bracket — 2v2 · 3v3 · rbglimit — integer, 1..100, default 20Single character profile by name. Returns 404 { "error": "not_found" } for unknown names.
name — character name, 1..12 lettersPrefix character-name autocomplete (powers the navbar search). Up to 8 matches, alphabetic-only queries, highest level first. Empty [] for empty or invalid queries — never 4xx in normal use.
q — string, 1..12 lettersRegistriert einen neuen Account mit E-Mail + Passwort — identisch zur Website-Registrierung (Battle.net-Account + Spielaccount <id>#1). Gibt direkt einen Bearer-Token zurück, sodass der Launcher sofort angemeldet ist. IP-gedrosselt (max. 3/Stunde). Body als JSON oder application/x-www-form-urlencoded.
email — gültige E-Mail (= Login-Name)password — 6–16 ZeichenFehler: 400 missing_fields / invalid_email / invalid_password · 409 email_taken · 429 rate_limited · 405 method_not_allowed.
Anmeldung mit Benutzername (oder E-Mail) + Passwort. Gibt bei Erfolg einen Bearer-Token zurück, mit dem authentifizierte Endpunkte wie /api/balance abgefragt werden. Brute-Force-geschützt; Accounts mit aktiver 2FA müssen twofa_code mitsenden. Body als JSON oder application/x-www-form-urlencoded.
username — Benutzername oder E-Mailpassword — Passworttwofa_code — optional, nur bei aktiver 2FAFehler: 400 missing_credentials · 401 invalid_credentials · 401 twofa_required / twofa_invalid · 429 rate_limited · 405 method_not_allowed.
Battle-Pay-Coins des angemeldeten Accounts. Erfordert den Token aus /api/login im Header Authorization: Bearer <token> (alternativ ?token=… als Fallback).
Authorization: Bearer <token>Fehler: 401 missing_token / invalid_token / token_expired · 404 account_not_found.
class: 1 Warrior · 2 Paladin · 3 Hunter · 4 Rogue · 5 Priest · 6 DK · 7 Shaman · 8 Mage · 9 Warlock · 10 Monk · 11 Druid
race: 1 Human · 2 Orc · 3 Dwarf · 4 Night Elf · 5 Undead · 6 Tauren · 7 Gnome · 8 Troll · 9 Goblin · 10 Blood Elf · 11 Draenei · 22 Worgen · 25 Pandaren (A) · 26 Pandaren (H)
gender: 0 male · 1 female
No game-economy mutations. No AH, mail or gold changes via the API — that's a hard locked decision, never coming. The only writes are account creation (/api/register) and token issuance (/api/login).
Public data: no auth, no rate limit, no API keys. Same data the public Armory / Leaderboards / Who's Online pages already render. CORS * so any origin can fetch.
Account endpoints (/api/register, /api/login, /api/balance) are guarded. Register and login are rate-limited; /api/balance needs a Bearer token tied to the account. Keep the token secret — treat it like a password.
Cached. Cache-Control max-age 20–60s on each endpoint. Don't pound it — your bot won't get faster data.
Best-effort, no SLA. Endpoints may return 503 when the characters DB is temporarily unavailable. Always check the HTTP status.
curl
JavaScript (Discord.js / browser)