question

hipposoft3 avatar image
hipposoft3 asked

How to prevent client API call cheating?

Hi, I have a question about anti-cheating.

Even if I never used client API in my script, Can a cheater call client API(POST ? ) to get whatever he want? If the cheater has login and has a valid session ticket.

Like, client.GrandItemsToUser() Can he use the valid session ticket and POST to call playfab client API? If so, isn't is useless to use whether cloudscript or not. Not letting users know the game currency code is a only way to prevent cheaters?

Im not familier with 'game server' thing, so plz fix my misunderstand about it. Thanks!

apis
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Xiao Zha avatar image
Xiao Zha answered

For anti-cheat purposes, you can control the access to API resources with API Access Policy. For more information you can refer to API Access Policy - PlayFab | Microsoft Learn. In addition, PlayFab doesn’t have client.GrantItemsToUser API, instead PlayFab provide admin.GrantItemsToUser API and server.GrantItemsToUser API to grant items to player, and to call these two APIs in Could Script, you need Secret Key which should not be exposed to players.

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

hipposoft3 avatar image hipposoft3 commented ·

@Xiao Zha Thank you so much for reply!

It was my mistake, I meant the "PlayFabClientAPI.AddUserVirtualCurrency()" is clientAPI that exist and important for in game economy. "API access policy" can prohibit using this API from both script and POST call, right?

But, Is there a way that let me use the AddUserVirtualCurrency() client API in my code(script) and don't let cheaters use the API POST call? This is possible?

Or Should I use cloud script and block the client API at APi access policy?

0 Likes 0 ·
Xiao Zha avatar image Xiao Zha hipposoft3 commented ·

The "API access policy" can prohibit using the API from both script and POST call. And for in-game economy, we recommend using the server. AddUserVirtualCurrency() API in Cloud Script, because calling the API in Cloud Script is safer than calling on the Client and it is more suitable for you to implement your own user input checking method to exclude API calls from cheater.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.