Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
redonihunter297 days ago(+1)
Usernames are already publicly visible in profile and activity pages

Where is this?

As a developer you cannot say who plays or downloads your game. Only when payment is involved you get some information. You do not even see on which collections it is, unless those are public collections.

As a fellow player I cannot tell who else plays a game.

I do can see comments made. But that is "opt in". And I might see what is happening in the feeds, but those are not attached to games, but to feeds, and I only see the public ones.

Making profile information accessible to amateur developers is kinda dangerous. Even with "opt in". How often do people "opt in" to a website these days? It is meaningless. No one knows the consequences of such opt ins. It would also make those profiles accessible to scammers and you can bet that they will try to exploit this somehow. Itch is a huge target for bad people.

If someone wants to make a high score or whatever, they can request an "opt in" that would not involve publicly displaying the username. Itch is not this type of social network: you do not use your username to interact with other users. You can't. There is no private or direct messages. There just is not the infrastructure under the hood to play games as a "logged in user", such as it is on Steam. On Steam they have multiplayer support, voice chat and whatnot. You can see reviews, comment on them. Make friend lists, see who is online and all those features. Itch has none of that. Suddenly using the profile name for something like a high score, is out of character for lack of a better term.

Reply
JackPrograms297 days ago (1 edit) (+1)

I think the point is that the game developers make the infrastructure around it (ie friend lists and lobbys), not itch.

But also, playing “logged in” already somewhat exists on the itch.io app. Where you can authenticate user accounts and that sort of stuff with the api, directly getting account info. Just from loading up an app. I just think This would be super useful in web projects ran on the website, bc that’s where majority of traffic comes from.

It could be like a oauth screen before loading up a game, where the user better understand what’s happening when they login, but also it’s a public website, I don’t understand the point of hiding usernames bc of privacy or anything of that sort.

Third point, about user anonymity, itch.io is a website that contains largely unmoderated (to my knowledge, I don’t really go around making virus and stuff) javascript code execution, you can already get a lot more info such as IP addresses, approximate location and that sort of stuff from users that play your games, hell google analytics tells you a lot of information about your players. I don’t understand the logic that an opt-in user identification system would be so detrimental to site security.

Reply
redonihunter297 days ago
I think the point is that the game developers make the infrastructure around it (ie friend lists and lobbys), not itch.

If they really do this, why do they need the Itch profile for that? They can deal out a login on their own. Itch has no support for a lobby to begin with. Or for friends list. But then again, if your game is big enough for things like that, you probably are hosting it on your own website, where you can easily put some more advertisements for all the freeloaders.

Where you can authenticate user accounts and that sort of stuff

In theory. I have never seen a game that needed that. Are there any popular examples you can name? I did read the faq and know there is an api for that, but actually never saw this done.

but also it’s a public website, I don’t understand the point of hiding usernames bc of privacy or anything of that sort

Itch is a public website in the sense that anyone can access it, if they can access US websites. It is not a public website in the sense that users see other users. Apart from public activity like commenting or having a public collection you do not see any activity at all from other users. None. You also do not see "who is online", like you do see on some message boards.

Once users grasps that concept, suddenly seeing their account names on a leaderboard, just because they clicked away that cookie warning or whatever that nagging screen was, is surprising. This is bad site and information flow desgin, if it were implemented.

They could improve support for web games to do fancy things. But if they do, please with robust api and with strict rules like vetting the developers.

I don’t understand the logic that an opt-in user identification system would be so detrimental to site security.

Life Scammers will find a way. I have literally seen hundreds of hacked accounts on Itch. Itch accounts are a target, as are Discord accounts. Coincidentally, many people name both the same...

An opt in is useless, if people do not understand what that means. Or would you understand that such an opt in means that anyone seeing that leaderboard could just try out passwords with your account name and try to hack your account? You do not even need to be a fake developer and harvest names. Anyone could see them.

Personally, for me it boils down to this: I do not trust amateur developers with this kind of information. There would need to be an ultra robust and fool proof api for that, with no way of exploits and a system to ensure that the dev would not be a scammer. Amateur devs playing around with account names. No, thank you. I would rather not have that.

Reply
JackPrograms297 days ago (2 edits) (+1)

Are there any popular examples you can name?

The reason there are no examples is that the feature isn’t fully implemented. Most traffic doesn’t use the itch.io app for web games, so it would prevent most users from using the feature.

clicked away that cookie warning or whatever that nagging screen was

All the “nagging screen” would need to say is “developers will be able to see and share your username” that’s really it for people to fully understand.

Here’s an idea. (in this case, a non-naggy checkbox that would need to be checked for any data to be sent.)

Probably needs some changes like an always yes/no that can be changed in account settings, and other stuff to fit itch’s design language. But it can be made it a way for the user to understand whats going on.

anyone seeing that leaderboard could just try out passwords with your account name and try to hack your account

First, I’m fairly sure itch.io has rate limiting, you can’t just spam password attempts without raising some red flags (getting your IP banned for some time, or account locked or something), but let’s say they don’t for the sake of example.

If people can just get into accounts with usernames and spamming passwords, why do people comment/post/review/do anything with their username attached?

Like, if I can hack people with just a username & some time, wouldn’t you be putting yourself at risk by replying to any posts?

Also, You can search a long list of users (mostly creators) with the search bar at the top of itch.io? If usernames were really that sensitive, why do you see them everywhere?

But also, it could pass in a display name or unique identifier to web games, instead of a username, avoiding this username/hacking point entirely.

Reply
yuripourre297 days ago (1 edit) (+1)

Hi @redonihunter,

Answering your question:

"Where is this?"

Every time someone makes a comment, the username is displayed, I don't see how enabling access to the usernames can make it too much worse.

About what you mentioned:

I think you are saying that if the user never interacts in the platform, they don't have the username exposed, right? But I am not sure if I agree that exposing those could be a security concern.

You mentioned the usernames are accessible via cookies, if the apps can access that information I think this is even more concerning in terms of security, right? Also, cookies can be manipulated so you cannot rely on the information there, users can potentially modify any content there.

And finally, you mentioned that itch.io is not "this type of social network", I disagree. Yes, itch.io don't have all the features other social networks have but I think is implicit that any interaction you have will expose your username. Like creating a comment on this post, creating a devlog or publishing a game.

Itch.io doesn't have any authentication so there is no way around it. I would like to have this feature, I think it can be really useful not only for high scores but to learn more about the players.

Reply
redonihunter297 days ago(+1)

There are orders of magnitudes between players, ratings and comments. Most people do not comment, nor rate. So you would maybe have 1 comment, 10 ratings and 100 users. The only public interaction is the comment. And about half of the ratings are seen in the global feed for like 5 minutes.

The potential public exposure for the other 94 people would be unexpected. And most of the 5 people with public review probably did not read their settings.

You mentioned the usernames are accessible via cookies

I did no such thing. I said web games can recognise recurring users. Not that they do this by the account name. I believe this to work with cookies.

Yes, itch.io don't have all the features other social networks have but I think is implicit that any interaction you have will expose your username. Like creating a comment on this post, creating a devlog or publishing a game.

It has basically no social network features at all. Itch is a download store that happens to also host some web games and happens to have a rudimentary commenting system. 

Providing multiplayer support in any way would be nice for the platform. But it would also be a nightmare to implement.

Reply
yuripourre297 days ago (2 edits) (+2)

I think you are missing the point.

First of all, you can rate content, create comments, follow users, create dev logs, create comments for dev logs. I don't know what features YOU need to call it a social network, but itch.io is a social network.

Secondly, no one is asking for multiplayer or any other new feature (other than maybe an opt-in), what I see here is people asking to make possible for apps to access an information that already exists (and is public).

I still don't understand your argument about how making the public usernames easily accessible would be a security concern.

I am not sure if you just want to be against this proposal or you have a real concern, if is the latter, what do you recommend? Oauth? Each game to implement a secondary login on top of itch.io? What would be the safest way to do it?

Reply
redonihunter296 days ago (2 edits) (+1)
an information that already exists (and is public).

It is not public. That is my point. (It is not even known to the developer running a web game!)

You do not see who is playing a game. You do not see who is online. You do not have a "friends" list. You cannot comment on reviews, you cannot even see them attached to a game. You cannot "share" your activties. Best you can do is publish a collection on your profile.

Would you call all message boards "social networks"? There are reviews with comments on products on online stores. You call those a social network too? There is a social component, yes, but that does not make it a social network.

Making information public that previously was not, is a thing that should be thoroughliy scrutinized. And imho unless Itch does implement a whole lot of other mulitiplayer support, there is no need to access such information for things like leaderboard that can be implemented by other means.

Reply
yuripourre296 days ago

Ok, I think I understand your point now, there is a comment talking about profile information that probably make you concerned but that's not the intention of the original comment.

What is being asked is to know who is playing your game if this person is logged in, and that's all. This information is public (if the person decides to publish something).

Personally, I think it's a reasonable request and can cause more good than harm.

About the implementation, instead of a opt-in, itch.io could simply warn users that the username is public. And because is possible to change your username, if someone wants to change before this new feature is released, they could simply change their username. What is the point of the username anyways? Display it publicly right?

Reply
redonihunter296 days ago
What is being asked is to know who is playing your game if this person is logged in, and that's all. This information is public (if the person decides to publish something).

What do you think public means in this context?

The information who is playing which games is not public. It is not even known to the dev that published the web game. Hence this very thread.

Even if the existing api is capable of doing this, when playing a game or a web game with the Itch app, using the username inside the game (like displaying it on a leaderboard) would violate some privacy boundaries. Itch is just not a place like those web game hosters with the microtransactions or facebook games or even Steam.

Itch might one day have such capabilities, but as I said elsewhere here, there would need to happen a major overhaul including a huge bunch of other multiplayer support features that enable and control the interaction between users while playing online together.

Reply
JackPrograms296 days ago

Itch.io already supports multiplayer web games, they just don’t own the servers and stuff, the devs do.

This whole “overhaul” thing doesn’t need to happen, itch doesn’t need to do the peer to peer connection.

Giving display names to devs has vary little to do with a itch.io friends system or other “multiplayer support” it just gives devs the ability to implement that.

Reply
redonihunter296 days ago
Itch.io already supports multiplayer web games

How does this support look like?

There are multiplayer web games on itch, yes. About 2000 or so. But do they implement multiplayer with any sort of support by Itch ecosystem?

https://itch.io/games/multiplayer-adhoc/platform-web

https://itch.io/games/multiplayer-server/platform-web

Reply
JackPrograms296 days ago(+1)

No, that’s the issue, that’s what we’re asking for.

A UID & Display name passed into games so it can connect better with the itch.io ecosystem.

Just bc something doesn’t exist right now, doesn’t mean it shouldn’t.

Reply
AboutFAQBlogContact us
Copyright © 2025 itch corp · Directory · Terms · Privacy · Cookies