Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
Tags
itch.io Community » itch.io » Questions & Support

[Help] How to check players own a key of my game?

A topic by Uju Studio created Aug 28, 2023 Views: 623 Replies: 6
Viewing posts 1 to 3
Uju Studio264 days ago

I found out that itch.io is missing app authorization to find out if users own the games actually. What I want is to find out if players own my game. And if so, they can play the game. itch.io is missing that thing, so it's easy to get pirated for our itch.io games. Only user names may not the real key owner, so it may require passwords.

[A very similar old topic with no answers]

My theory that I want to solve this is by using this page. Steps would be:

  1. Login User with itch.io account inside my game with password. Without passwords, people may enter a real user key, the key owner isn't him maybe. Password confirms it as real key owner.
  2. From login information, if login was successful, take user name (USER_NAME), global game key (KEY) and request : " GET USER_NAMEhttps://itch.io/api/1/KEY/me "
  3. If KEY matches response than start/continue the game.

I don't find a way to get player logged in the game with itch.io account with passwords, nor it's completely secured.

Did you guys found any ways to check if a user owns the itch.io game? If you do, your help would be greatful for me and for anybody coming here in future. I really need help...

Thanks in advance!

Reply
hechelion263 days ago (2 edits) (+2)

Hi, I'm not quite sure I understand you.

You ask something, that yourself answer with the link, but then it seems that you are really looking for a DRM system.

First, directly answering your question, in the same link you share you have the following API:


https://itch.io/api/1/KEY/game/GAME_ID/download_keys
You can use this API call to verify that someone has a valid download key to download the game


In other words, with that you can know if a certain user owns your game or not. However, it seems that this is not what you are looking for.

From what you describe, it seems that you are more interested in knowing that indeed the person who is using the PC is a valid itch user and that they have bought your game. In that case read about OAuth which seems to be what you are looking for.

https://itch.io/docs/api/oauth

Regardless of that, since you are talking about piracy, I think what you are really looking for is to incorporate a DRM system, and Itch does not incorporate any such tool, if you want to implement any DRM mechanism in your game, you must implement it yourself.

Reply
Uju Studio263 days ago

Sorry for my confusing sentences I usually create most of the time.

https://itch.io/api/1/KEY/game/GAME_ID/download_keys looks like this thing is the best option. Okay, if I own a itch.io game, it will generate a download key for the player. (1) How is it's response if player owns the game?

But now if I send this - https://itch.io/api/1/KEY/game/GAME_ID/download_keys http request from my game, user may always see error:{ invalid } . Because itch.io doesn't knows who is the user, as he/she isn't logged in inside my game. But what I want is now get user logged in my game and than check his name from log in information. And than I want to check if he bought my game by sending http request to itch.io.

Now my problem with this method is how to do a login check with itch.io. So if it's the real itch.io user, than the game continues to check if that user bought the game. If he has the key, than game starts. (2) Is there a login system of itch.io to put it in my C# game ?

(3Do you think OAuth may be better? I checked it a bit before. But itch.io API would also be easier than OAuth. As I expect player is using itch.io apps. But (4) recommend me your opinion, should I do with the login thing or look for OAuth ...

Also, thanks for your timely previous response, I thought none would answer anything.

Sorry if I confused you guys again  😅 

Reply
mid263 days ago

Logging in is done with OAuth, and, yes, this is trivially breakable.

Reply
redonihunter263 days ago(+1)
I found out that itch.io is missing app authorization to find out if users own the games actually. What I want is to find out if players own my game. And if so, they can play the game. itch.io is missing that thing, so it's easy to get pirated for our itch.io games.

As in contrast to which games? If you can get pirated copies of AAA games, what do you think your games are?! 

DRM is a problematic concept in many ways. Foremost, that it only punishes legit players. You will not sell more games, because a game has drm. The creator might have the fuzzy warm feeling that the game is harder to copy. But the concrete cold reality is, that  no one will buy the game because it has drm, but many will intentionally not buy it, if it has one. Just read some steam reviews of games that implement additional drm.

For any kind of online experience, drm is moot anways.   You have your servers and login credentials, a thing like client side drm does add nothing.

The api you mentioned requires you to have a server. Wich brings us back to the online experience. And there are users that will be very, very suspisious, if an offline game requires internet connection. And quite frankly, I would not trust a small time indie dev to handly any such thing at all.

But from what I understood, you could implement some login type drm   with this oauth thingie. But after having a look at your creators profile and games, your concerns about pirated versions of your games are purely academical. And to be more specific, I for one would not buy any of your games, if I had to login onto your servers to play  them. For the single reason, that I do not trust a small dev like you to still have that login server in two years.

Reply
Uju Studio263 days ago

Actually I don't think I am for DRM.

It's just for a check if user is a real user who has itch.io account. If he is a real itch.io user, than get his user name and ask itch.io if user with that name had legally bought the game. The game will start only if itch.io responses okay. Is that DRM bro lol

AAA games are not always hackable. I found COD MW 2020 isn't hackable. It has a strong checker that checks if player really bought their games legally.

I am not so strong with two arms only. But I leave this to itch.io api to check player ownership. Or maybe as previous response said about OAuth to use, which maybe better I guess. I'll research more ways out.

Let me see if I OAuth is better...

Reply
redonihunter263 days ago
Is that DRM bro lol

If you have an offline game, yes. That is precisly what it is.    

If you have an online game, that is, online services,  then, no, not really. It is just a side effect of the means of loggin in. What you need to do anyways to play the game with something like a persistent user account.


 I found COD MW 2020 isn't hackable. It has a strong checker that checks if player really bought their games legally.

That is not, what is happening there. This is an online game. And they even made the offline single player campaign "online".  Resulting in lots of frustrated players, because they could not even play the  single player    portion of the game during release, because their lame servers were not reachable. Proving my point, that it is legit players that suffer from drm.

If you have crucial elements of your game on your server, this goes beyond simply "checking", if the player bought the game. You force it to be an online game. And the game is prone to server failings of any sort, including quitting of the gaming company. If I pay for an offline game, I want to be able to play it, even if the company that made it, ceases to exist.

I think you are worrying about an aspect of game publishing, that is not relevant for the scope and type of games you make. (Unless you try to make an online game, of course). You should be glad, if people would want to pirate your games at your stage of recognition.  You have more games published than followers on itch, for crying out loud! You think your authentication process will bring in more players?! The dangers of alienating the players you do have, far outweighs any perceived benefit of having such auth. 

And imho it is perceived benefit and not real benefit. (Again, unless you plan on making an online game and merely are struggling with the necessary login  stuff. Maybe I misunderstood.)

Reply
This topic has been auto-archived and can no longer be posted in because there haven't been any posts in a while.
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies