question

jyfdfryyt avatar image
jyfdfryyt asked

EntityAPI on clients

I was asked in another post why I don't want to call EntityAPI on clients. My understanding is that I should not call EntityAPI from clients because I suspect that hackers will modify the script and use EntityAPI to cheat, am I wrong? I plan to disable AdminAPI, ServerAPI and EntityAPI when I build for clients.

I am afraid that clients might use their own or someone else's EntityID and use it to modify Objects or participate in matchmaking without permission.

If I argue against this myself, I would say that it is safe to enable EntityAPI if I hide important item names, queue names, and object names by cloudscript. There is a possibility to do it this way.

Please educate me if my understanding is wrong.

apis
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Neils Shi avatar image
Neils Shi answered

Using the Entity API requires an entity token which obtained by signing in, and they can only use it to modify their own data, so, clients cannot modify Objects or participate in matchmaking without permission. And if you want, you can also use the API policy to prohibit the specific API (like SetObjects) that you do not want the client to call.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.