question

hipposoft3 avatar image
hipposoft3 asked

Developer secret makes the client api safe enough?

Hi.

I have read some of post from this forum and have asked some questions, I understood that client API calls needs developer secret. The secret saved in somewhere playfab server. And playfab SDK make the secret connection automatically so that the client API call became safe. Cheaters also can't access it and can't call client APIs to get reward or profit.

If that's true, isn't there no reason to use cloud script for call server API? Because client API is safe enough by that secret. Is it ok to not block the client api at API access policy? I think Im over worriying about the security.

Please teach me my knowledge about playfab is right. Thanks.

apisunity3d
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Rick Chen avatar image
Rick Chen answered

Client APIs don’t require secret key, but require Session ticket (except login APIs). PlayFab SDK stores Session ticket when calling login APIs, and uses this Session ticket to call other client APIs. Cheaters cannot call client APIs for other player’s account unless they managed to obtain the Session ticket or secret (password, etc) of other players. Session tickets expire in 24 hours.

Server APIs are having many privileges and should not be called by client. For example, the server API GrantItemsToUsers can grant any items to any users. If you allow the client side to directly call this server API, they can grant any items to themselves as they want. Therefore, you should write some cheat detection logic in your CloudScript to verify the request from clients before granting items to users.

Overall, you should never expose your developer secret key to client.

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

hipposoft3 avatar image hipposoft3 commented ·

@ Rick Chen

So, Session ticket stored in client(my game) in some form and cheaters can use it, so It's better to use Cloud script. I got it.

Thank you so much Rick!

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.