You can refer to the discussion here:
Basically the idea is:
- If your game is run via the app, and you've correctly set up your manifest, you'll get a JWT token via an environment variable
- Send that to your server
- Your server does the `/me` API request
- Now your server knows that this IP/session corresponds to that itch.io player
- If your game is *not* run via the app, listen on http://localhost/5678 (or any port) and open the oauth login page in the user's browser
- If you can't listen on localhost on the port you registered, specify `urn:ietf:wg:oauth:2.0:oob` as a redirect URI instead, this will allow them to copy/paste the code
- Once you get the code back - that's an API key, send it to your server
- Your server does the `/me` API request
- Now your server knows that this IP/session corresponds to that itch.io player
Hopefully that clears things up a bit! We want to write guides for how to achieve this in the near future, as the API develops.