Tokenless player authentication for web


Rivet can authenticate web browsers without any tokens by observing which domain API requests are sent from.

In this case, no public token needs to be provided at all to the API client.

How it works

All requests made from web browsers have an Origin header that specifies what webpage is making the request.

Rivet uses the Origin header to find your game's * domain or custom domain and authenticate the request accordingly.


Origin headers cannot be spoofed within a web browser. This means people cannot host copies of your game on their own site.

However, the Origin header can be spoofed using something like curl. Make sure that domain-based authentication is only used on namespaces that are intended to be public.

Disabling domain-based authentication

If you need to create a private namespace that should not be publicly accessible, you should disable domain-based authentication. Instead, use public tokens paired with CDN HTTP authentication.

This can be done by navigating to Developer > My Game > My Namespace and disabling Domain-based Authentication.

Disable domain based auth


Open-source multiplayer infrastructure. Easy, flexible, and affordable.

This website is not sponsored by or affiliated with Unity Technologies or its affiliates. Unity Trademark(s) are trademark(s) or registered trademark(s) of Unity Technologies or its affiliates in the U.S. and elsewhere. | This website is not sponsored by, affiliated with, or endorsed by Epic Games, Inc. or its affiliates. 'Unreal Engine' is a trademark or registered trademark of Epic Games, Inc. in the U.S. and elsewhere. | The HTML5 Logo by the World Wide Web Consortium (W3C), used under a Creative Commons Attribution 3.0 License. Source | The Godot Engine Logo by the Andrea Calabró, used under a Creative Commons Attribution 4.0 International License. Source | Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries. Docker, Inc. and other parties may also have trademark rights in other terms used herein.

© 2024 Rivet Gaming, Inc. All rights reserved.