Curio
WoWUtils
Viserio Logo
Discord

Viserio Cooldowns API

Back to For Developers

Viserio Cooldowns API: Data Handling

What the API exposes about a group, what it never exposes, and what you have to do with the data you receive.

What the API exposes

For a group whose admin has enabled API sharing, that group’s API key can read:

  • Group metadata: name, member count, linked guild (region/realm/name).
  • Roster: member display names, ranks, roles, optional aliases and battletags, and their characters (name, realm, class, spec).
  • Resets: names, week references, setups, boss order, roster references.
  • Cooldown notes and assignments: metadata and structure only (boss, difficulty, names, counts, links). The actual note text and assignment tables are not exposed.

What the API never exposes

We never expose Battle.net account identifiers, supporter or payment identifiers, third-party access tokens, or any internal system data. We do not collect user email addresses at all. Who claimed a roster spot is reduced to a boolean; the underlying account is never sent.

Consent model

  • Data is served for a group only after a group admin enables API sharing. The key is a group credential created by an admin; there is no per-person access. A supporter boost is not required for access; it only raises the request quota.
  • When a group disables API sharing, access to that group’s data stops within a short cache window.
  • An individual whose battletag appears can ask a group admin to disable the group’s API sharing or remove them from the roster. We can also disable a group’s key on request or for cause.

What we log

Request metadata only: timestamp, method, path, key id, client IP address, and response status, plus rate-limit and abuse accounting. The IP address is needed to detect and block abusive traffic. We do not log response payloads. Logs are retained only as long as needed for abuse investigation and capacity protection.

Obligations on API consumers

  • You are responsible for data you store. Hold exposed personal data (battletags, character names) only as long as your integration needs it.
  • Do not create a permanent mirror. Delete cached data within 30 days unless it is refetched. A refresh-based cache that re-fetches and expires data is acceptable; a permanent copy is not.
  • Delete a group’s data when that group’s access is removed or its opt-in is withdrawn.
  • Respect Blizzard’s Battle.net / WoW API terms for any stored or displayed data.
  • Do not surface a guild member’s information where that member has not agreed to it, and do not use the data to identify, contact, or profile individuals beyond the guild-tooling purpose.
  • Secure stored data at least as carefully as your own account credentials.

Our commitments

  • Read-only API, least-privilege database access, no write path.
  • Group admin opt-in enforced on every request; boost only sets the quota.
  • One key per group, admin-managed, hashed at rest, shown only once.
  • Booster identities are never exposed, only aggregate boost totals.
  • We act on opt-out and revocation promptly.