Tokenless player authentication for web

Overview

Rivet can authenticate web browsers without any tokens by observing which domain API requests are sent from.

In this case, no public token needs to be provided at all to the API client.

How it works

All requests made from web browsers have an Origin header that specifies what webpage is making the request.

Rivet uses the Origin header to find your game's *.rivet.game domain or custom domain and authenticate the request accordingly.

Run the following command and replace my-game.rivet.game with the domain of your game.

curl \
    --header 'Origin: https://my-game.rivet.game' \
    https://matchmaker.api.rivet.gg/v1/regions

You should see a list of regions you have enabled for Rivet Matchmaker.

Security

Origin headers cannot be spoofed within a web browser. This means people cannot host copies of your game on their own site.

However, the Origin header can be spoofed using something like curl. Make sure that domain-based authentication is only used on namespaces that are intended to be public.

Disabling domain-based authentication

If you need to create a private namespace that should not be publicly accessible, you should disable domain-based authentication. Instead, use public tokens paired with CDN HTTP authentication.

This can be done by navigating to Developer > My Game > My Namespace and disabling Domain-based Authentication.

Tokenless player authentication for web

Overview

How it works

Security

Disabling domain-based authentication

On this page