I want to know whether my client can abuse EntityID. There are many opportunities for clients to access EntityID. ("PlayFabClientAPI.LoginWithCustomID", "PlayFabMultiplayerAPI.GetMatch", etc.) It is even possible to get someone else's id. Can I allow clients to do this? I know that "PlayFabEconomyAPI.AddInventoryItems" for example is not allowed to be called by the client, but are there any other functions I should be aware of? Or should all of the above functions be executed in a cloud script?
Since the EntityId is an identifier which is used to get player relevant information, it is very common for players to know their own EntityId, and also know the EntityId of other players. For example, the Matchmaking - Get Match - REST API (PlayFab Multiplayer) | Microsoft Learn you mention, the client needs to know the EntityId of the other players so the client can know who they will be playing with. And you don’t need to warry about the abuse. By default, using the SessionTicket and EntityToken of the client, players can only modify some unimportant data of themselves.
2 People are following this question.
