Tokenless player authentication for web
Rivet can authenticate web browsers without any tokens by what domain API requests are sent from.
In this case, no public token needs to be provided at all to the API client.
All requests made from web browsers have an
Origin header that specifies what webpage is making the request.
Rivet uses the
Origin header to find your game's
*.rivet.game domain or custom domain and authenticate the request accordingly.
Origin headers cannot be spoofed within a web browser. This means people cannot host copies of your game on their own site.
Origin header can be spoofed using something like
curl. Make sure that domain-based authentication is only used on namespaces that are intended to be public.
If you need to create a private namespace that should not be publicly accessible, you should disable domain-based authentication. Instead, use public tokens paired with CDN HTTP authentication.
This can be done by navigating to Developer > My Game > My Namespace and disabling Domain-based Authentication.