Skip to main content

Browse GamesGame JamsUpload GameBlack Friday Creator Day 2025Developer LogsCommunity
On Sale: GamesAssetsToolsTabletopComics
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
mid1 day ago(+1)

I don’t see why you cannot trust OAuth. The API key gets passed in the callback URL you define when you register your OAuth application. This URL can be for an HTTP server your client runs, or it can be the same server that hosts your multiplayer games.

In any case, the API key can be verified by querying Itch. There’s no problem.

Reply
Alaskan Druid1 day ago

Right. I just wanted to make sure I wouldn't be violating any rules/policies having the mmo server verifying game purchase/profile info using the player's api key.

Reply
mid21 hours ago(+1)

DW, that’s what it’s there for.

On the other hand, I made a small error. In practice, I think running the HTTP host on the client is the only choice, because that lets the game server pair the API key to the client’s network address, whereas otherwise there would be a security risk.

Reply
Alaskan Druid21 hours ago

Thank you! It turns out, after going through the API some more. Since its a free game, it will never show up as owned/purchased via API, so there is no way to determine if a person owns a copy of the game via API. So that part is worthless in my case. However, the user_id is as different story, so I can at least check that.


Thank you for your replies.

Reply
AboutFAQBlogContact us
Copyright © 2025 itch corp · Directory · Terms · Privacy · Cookies