Skip to content
Nodecraft Studio Nodecraft Studio Nodecraft Studio Developer Docs

Player Authentication

When a player connects to your game server, the server must verify they are who they claim to be. This is not optional. Without server-side authentication, any modified game client can impersonate any player, including server admins.

The Core Principle

Section titled “The Core Principle”

Treat every game client as compromised.

The client should never have authority over the server. A player’s identity, permissions, and game state must be verified server-side, not accepted from the client on trust.

This means:

  • The server validates the player’s identity using a platform-verified method (e.g., Steam Auth Ticket)
  • The server checks whether that identity has permission to join (not banned, has access, etc.)
  • The server assigns roles and permissions based on its own records, not client claims
  • The client provides proof of identity that the server can independently verify

Server-Verified Authentication

Section titled “Server-Verified Authentication”

The authentication flow looks like this:

Diagram

The critical step is #2: the server must verify the token independently. If the server just reads the token contents and trusts them without verification, the entire system is bypassed.

Token Timing

Section titled “Token Timing”

Authentication tokens have short lifespans by design. Your server should:

  • Validate the token within 2-5 seconds of receiving it
  • Reject connections that take too long to present a token (10 seconds max)
  • Never cache or reuse tokens across sessions

If a player disconnects and reconnects, they should go through the full authentication flow again with a fresh token.

When Authentication Fails

Section titled “When Authentication Fails”

If the server cannot verify a player’s identity:

  • Disconnect them immediately. Do not let them into the game world in an unauthenticated state.
  • Send a clear error message to the client (e.g., “Authentication failed. Please restart the game.”).
  • Log the failure with the claimed identity and reason for rejection.

Do not fall back to an “unauthenticated” mode where players can play without verification. This creates an exploit path.

Platform-Specific Guides

Section titled “Platform-Specific Guides”

Each platform has its own SDK and API for player authentication. See the platform-specific guide for implementation details:

Nodecraft Studio Integration

Section titled “Nodecraft Studio Integration”

If you’re integrating with Nodecraft Studio, the platform provides its own authentication layer through Server Authorization Tokens and Player Ident. These handle identity verification, access control, ban checking, and queue completion in a single flow, so your server doesn’t need to implement each check individually.