I have a multiplayer game using the itch.io API-Key for passwordless access. When started via the itch.io app I use the API-Key given by the app otherwise I use OAuth to get the API-Key.

In the case of the itch.io app the process looks like this:

I now realized that this is not secure as it can be exploited like this:

The documentation here says that the key is game specific. But I don't know how to verify that the key is for my game. If the itch server would tell my server at step 6 for which game the key was created the flaw would be fixed.

Is there a possibility for my server to find out for which game the key was created?

Whe the game is not started via the itch.io app I use the OAuth-API to get the API-Key. That has the same problem: I don't know how to verify that the given key was created for my game.

Did I miss something? Or is it not possible with the current API to implement a secure passwordless login?

Maybe this is not a real problem ... who will steal access to a game that is free anyway?

You can call the endpoint /api/1/API_KEY/me to get information about the current user & the key you're using to access them with.

For JWT keys, which are bound to a game, you'll see a field: 

issuer: { game_id: 111111 }

Try that out and tell me if you have any issues.

That worked. Thank you!

What about the OAuth-Key? In my profile I can see that they are linked to the OAuth application. Can I query that information as well?

I'm having the exact same security problem, that my app can't figure out if a given OAuth key was issued for my app and not for evil one. I'm working on an online tool which works with sensitive data (API keys), and I'd like to use itch.io OAuth authentication instead of inventing my own, but it's not secure in its current condition. As I understand, adding a field like

issuer: { client_id: "ABCDEF" }

to /me API response would fully solve this problem. Would it be possible to fix please? @leafo