GENERAL POLICIES

READ THESE THOROUGHLY

Our goal is to provide developers with a set of tools to create projects that will create a better player experience. We try as much as possible to not guide or hinder the creative process. While we remain as hands off as possible we do, at times, need to step in to ensure projects don’t have a negative impact to players. That being the case, we care about the developer community as well as the players they develop projects for, so if you have questions let us know as soon as possible and we’ll be happy to provide guidance. Please note, by following these guidelines and eventually getting your application approved, it means we’ve approved your application for a production API key. We don’t give individual projects a stamp of approval, but rather ensure they don’t conflict with our player-focused policies.


When working with the Riot Games API and other Developer Tools, we have several conditions set forth in our Terms of Use and Legal Jibber Jabber. We know that can be a pretty dense read, so here’s a quick synopsis of some of the key points that come up most often. (Note however this is NOT all inclusive and that you still need to read and agree to the Terms)

The goal is to enrich the League of Legends community and provide a better player experience. If your project may lead to a negative player experience please talk to us before it’s too late! There are some things that we're flexible on, but there are also some things we take a hard stance on.


PLEASE DON'T

  • Break the law
  • Publish a project that doesn't properly secure your API key
  • Utilize a Development or Interim API key to run a publicly accessible production project (Development and Interim API keys are to be used to create a prototype that we can review before the project is made available for public consumption)
  • Compromise the integrity of the game or create an unfair advantage for players
  • Charge money for your app or provide exclusive access, in whole or in part, to specific users
  • Provide alternate channels to report or evaluate other players
  • Create alternatives for official skill ranking systems, such as Ranked Leagues (Prohibited alternatives include MMR or ELO calculators)
  • Refer to your project to be in a partnership or approved by Riot Games
  • Utilize methods to connect to other League of Legends systems, such as League chat, that haven't been included in the third party tools. (Except where otherwise noted in any official exceptions, if any.)
  • Scrape data from undocumented endpoints or any other sources outside of the provided Riot API Endpoints and other documented Third Party Developer Tools. (Except where otherwise noted in any official exceptions, if any.)
  • Build or design any tools or components designed to look like the native League of Legends or Riot Games branding and designs, both in-game and out.

If you have an idea that you think might fall within a gray area feel free ask us in your project's application. Make sure to include a description and the goal behind your project, and then post your question as an App Note within the application. We’ll be happy to provide you with feedback and work with you to achieve your goal without conflicting with policies we have in place to protect the player experience.


PLEASE DO

  • Think outside the box
  • Think of ways for players to evaluate and improve their own gameplay
  • Think of ways to connect players with their friends
  • Blow our minds (it’s encouraged)
  • Feel free to use any of our art assets from the game (but NOT any official Logos)

As mentioned, this is not an all-inclusive list, so please be sure to read through all of the Terms of Use and Legal Jibber Jabber as well!


TOURNAMENT POLICIES

  1. You are responsible to ensure a fair and balanced system for matchmaking teams.
  2. All features of your project must be freely available to every tournament participant.
  3. A tournament must have a minimum of 20 active participants, regardless of team size (1v1, 3v3, 5v5 etc).
  4. Teams must progress through the tournament by playing directly against their opponents. It must be a traditional style tournament (elimination, round robin, etc) and not direct challenges or ladder systems.
  5. Anything related to wagering, betting, gambling, or any other use of real money outside of a nominal entry fee is not permitted. No exceptions.
  6. Custom currencies with a monetary value are strictly forbidden. Entry fees or buy-ins must be displayed in a fiat currency, to provide clarity to the participants, and then distributed amongst the winning teams at the end of the tournament based on placements.

    fiat currency is a currency backed by a government regulation or law.

Any time money gets involved we take things very seriously. We've seen a considerable amount of shady behavior with regard to the Tournaments API and as such this is not an area we're likely to be understanding. We understand the overwhelming benefit that community tournaments have created for players, but any deviation from these policies is likely to be handled strictly. If you have any questions ask before implementing a feature that may conflict with these policies.


CREDENTIAL SECURITY

Remember, don't share your account information with anyone, including your API key!

For your login credentials, take the same precautions as you would with your League of Legends account.

Regarding your API key, this key is tied to your League of Legends account and will be used for your application. If someone has access to your key, they can potentially use it for their own purposes, leaving you without one or with a severely diminished rate limit – even entering your key into another application can be dangerous! You should also make sure that you are using SSL/HTTPS when accessing the APIs so that your key is kept safe. You don’t want anyone else consuming your traffic and making it impossible for you to build your app. Protect your key so that everyone can see the awesome things you build!

Note that embedding a key in a distributed client application, like a desktop or mobile application, means that your key can be compromised. Even secure storage or encrypted keys on a client can be breached. The only way to ensure your API key remains safe is to have the client application access your own server, which then makes the appropriate request to the API using HTTPS. Even in the worst case scenario, if someone does manage to get your key from your server, through a man-in-the-middle or other type of attack, you can easily regenerate your key and update it in your server. If you have a key distributed across numerous client applications, you won't be able to do that without breaking all of the clients.

For similar reasons, generally you should not commit your API key to your code base, especially if you plan on building a distributed binary from that code base. Even if your code base is for a server application, we recommend reading your API key from a configuration file running on the server, rather than committing it to the code base. This practice limits your exposure to only the boxes that the server is running on, allows you to easily swap out keys without having to rebuild and redeploy, and prevents accidental sharing of your keys if you ever open source or otherwise share parts of your code.

Note that for teams working together on an application, there will be an obvious need to share an API key for your application. Our intention is not to discourage sharing along these lines, but rather sharing with people outside of your organization or who are working on other projects.

Sometimes people post their API keys on the forums when they are asking for help or giving code examples. Please note that if you do this, we will edit the post to remove the key and then regenerate your key on your account.


MONETIZATION POLICIES

As you might expect, any time money gets involved we take things very seriously. In any case where you're unsure about whether or not you're breaking our monetization policy you should default to excluding the feature in question. The Riot Games API is provided as a tool for community creators to create a project that can be freely enjoyed by players, it is not meant as a means to generate revenue. We will always put the player's interests first and if we feel a project is taking advantage of players we'll move swiftly to have it removed.

With that said, we are always looking for ways to support content creators who work on projects that benefit the community, and we know it’s difficult to run these sometimes costly projects. We also understand that developers want to recoup the time and engery it takes to build and maintain these projects. As such there are a few methods which allow developers to offset those costs, which we're fine with.

We specifically reserve the right to require any form of monetization be removed if we see something sketchy.


ADVERTISEMENTS

We're fine with projects passively collecting revenue from users via advertisements. From our perspective this is the preferred method of monetization to offset the cost of developer's projects.


PAID REMOVAL OF ADVERTISEMENTS

We know it's sometimes difficult to create a tasteful, unobtrusive native experience with advertisements. This is part of the reason why the mobile industry has gravitated toward the paid removal of ads. As such, after contacting us first, we'll allow developers to support their projects with the paid removal of advertisements.

Developers who are granted permission to monetize their applications will be required to provide the same functionality and experience in their projects with and without advertisements. For mobile and desktop applications, the removal of advertisements is an action that needs to be executed within the application itself. We will not be allowing two separate versions of the application. The app itself must be free, with the option to remove advertisements as an in-app purchase.

In order to offer the paid removal of advertisements you must:

  1. Contact us via an App Note within your project's application
  2. Provide us with a visualization of your project with and without advertisements
  3. Accept the additional monetization terms within your project's application

Projects that offer the paid removal of advertisements without contacting us first will be in violation of our policies and risk having their API key disabled.


BEST PRACTICES

DEVELOPMENT KEY

The most basic key that every developer receives upon successful registration is limited to 10 requests every 10 seconds. Use this key to discover what the Riot Games API has to offer, form ideas, and test the water.

Remember to keep your API key private. This key is tied to your League of Legends account and will be used for your applications. If someone gains access to your key, they can potentially use it for their own purposes, leaving you without one or with a severely diminished rate limit – even entering your key into another application can be dangerous! We don’t want anyone else consuming your traffic and making it impossible for you to build your app, so protect your key and make awesome.

We don’t expect your awesome creation to survive in the wild with this key. Once your app or website is ready for players to experience, please register it for us to review. We’ll provide you with a key that can handle “the friendly Reddit DDoS.”

Pro tip: Architect your code to accommodate for a key with a variable limit.

RATE LIMITING

Every website and app that consumes data from the Riot Games API has a rate limit. That is, each key may only make a certain number of requests each second. Unaccounted for, your website or app could reach this limit, which may negatively impact player experience.

For instance, the following pseudocode asynchronously requests the recent games for a large number of players:

foreach (summonerId in playersToFetch)
    RiotGamesAPI.recentGamesAsync(summonerId)

This loop could send out thousands of requests in milliseconds. Once the rate limit has been reached for that specific second, the API will return the HTTP response status code “429 Too Many Requests.”

The updated pseudocode will sleep for 1 second after making the exact number of requests that the rate limit permits:

foreach (summonerId in playersToFetch)
    RiotGamesAPI.recentGamesAsync(summonerId)
    if (requestCount == RATE_LIMIT)
        sleep(1000)

Pro tip: Degrade gracefully. If you hit the limit during a player’s request, give them a friendly error message.

CACHING

Even though the Riot Games API was engineered with speed in mind, we strongly advise against relying on it as your sole data store. Instead, implement a caching layer. By caching every API request, you will decrease response times as well as the total number of requests made.

Pro tip: Cache frequently accessed data in memory (Redis, Memcached, etc.) and rarely accessed data on disk (MySQL, RDS, etc.).

SUMMONER NAME ENCODING

If your website or app takes a summoner name as input, please HTML encode it before making the initial request. Many languages have built in support for HTML encoding, and for those that don’t, external libraries should be available.

Keywords to search for include “HTML encoding,” “URI escaping,” and “HTML entities.”

Pro tip: If your website or app stores our data, double check that your database encoding supports every character set (UTF-8).

JAVASCRIPT

Avoid using client-side Javascript to directly communicate with the Riot Games API. Not only do you lose control over your API key, you also run the risk of bumping against the rate limit.

Pro tip: If you want to develop with Javascript, architect an intermediate layer between the Riot Games API and the player. By doing this, your key will remain a secret and you’ll retain tighter control over what happens when you hit the rate limit.