Tokenless player authentication for web


Rivet can authenticate web browsers without any tokens by what domain API requests are sent from.

In this case, no public token needs to be provided at all to the API client.

How it works

All requests made from web browsers have an Origin header that specifies what webpage is making the request.

Rivet uses the Origin header to find your game's * domain or custom domain and authenticate the request accordingly.


Origin headers cannot be spoofed within a web browser. This means people cannot host copies of your game on their own site.

However, the Origin header can be spoofed using something like curl. Make sure that domain-based authentication is only used on namespaces that are intended to be public.

Disabling domain-based authentication

If you need to create a private namespace that should not be publicly accessible, you should disable domain-based authentication. Instead, use public tokens paired with CDN HTTP authentication.

This can be done by navigating to Developer > My Game > My Namespace and disabling Domain-based Authentication.

Disable domain based auth

Was this page helpful?