question

Mackenzie Power avatar image
Mackenzie Power asked

Restricting RegisterPlayFabUser requests to a url or token

Hello! We're looking to increase the security of our application on PlayFab. One of the ways we want to do this is by restricting the RegisterPlayFabUser requests to be called only from our domain/website (or have a mechanism that would supply some sort of security token before going through). Since the RegisterPlayFabUser API does not require any authentication headers, there's nothing stopping someone from potentially creating new PlayFab Users on our application if our titleId was ever exposed. Is there a way we could adjust the "Entity Global Title Policy" to put a restriction like this in place, or is there another way we could restrict this?

apisAuthentication
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Simon Cui avatar image
Simon Cui answered

Currently, RegisterPlayFabUser cannot be restricted to be called only from your domain/website. But It can be disable by Authentication - Update Policy - REST API (PlayFab Admin) | Microsoft Learn, such that no client can be registered with this API, referring to API Access Policy - PlayFab | Microsoft Learn.

To satisfy your requirements, you may disable RegisterPlayFabUser API and use Authentication - Login With Server Custom Id - REST API (PlayFab Server) | Microsoft Learn in your web server instead. If a player has logged in with server custom Id, they can use Account Management - Add Username Password - REST API (PlayFab Client) | Microsoft Learn to add username, password, and email.

2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Mackenzie Power avatar image Mackenzie Power commented ·

Ok thanks @Simon Cui ! do you think there will be any added functionality in the future that would allow for more granular restrictions or conditions to be added to some of those API calls?

0 Likes 0 ·
Simon Cui avatar image Simon Cui Mackenzie Power commented ·

I’m not aware of any roadmap on this. Currently, I’d suggest you following the workaround mentioned above. Thank you.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.