Skip to main content

Browse GamesGame JamsUpload GameBlack Friday Creator Day 2025Developer LogsCommunity
On Sale: GamesAssetsToolsTabletopComics
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
itch.io Community » Game Development » General Development

For Server/Client games... how do you handle API calls?

A topic by Alaskan Druid created 2 days ago Views: 45 Replies: 4
Viewing posts 1 to 2
Alaskan Druid2 days ago (1 edit)

So, using the .. never trust the client.. coding methodology... 

I am used to developing for steam. The steps there is pretty simple:

1. Game client reaches out through the steam dll to generate a session ticket and sends that ticket info to the server.

2. Server reaches out to the steam servers to verify the ticket info. And bind the steam id to the player game data (characters, etc).

The above, the Server doesn't trust the data from the client, but trusts the steam servers response. Pretty simple. For itch.io. I don't see the equivalent. The closest I can find is something like the following, but I want to make sure I'm not breaking any policies, etc:

1. Client reads their API key via environment variable. And sends it to the server (encrypted). <-- I have to enforce the game to run via itch.io client -only-, never on it's own.

2. Server makes call against itch.io with that key to get the Id, and to determine if player has purchased the game. And bind the itch.io id to the player game data (characters, etc). <-- this piece is huge for me as I have no wish to store the player's api_key anywhere as I view it to be a big security issue.

I cant use OAuth since players should -never- ever have access to the game server. Does the above make sense?


Due to never, ever, trusting the client, I cannot let the client perform the api call and send the itch.io id to the server as the server has no way to verify that id and if the player has purchased the game.

Reply
mid2 days ago(+1)

I don’t see why you cannot trust OAuth. The API key gets passed in the callback URL you define when you register your OAuth application. This URL can be for an HTTP server your client runs, or it can be the same server that hosts your multiplayer games.

In any case, the API key can be verified by querying Itch. There’s no problem.

Reply
Alaskan Druid2 days ago

Right. I just wanted to make sure I wouldn't be violating any rules/policies having the mmo server verifying game purchase/profile info using the player's api key.

Reply
mid1 day ago(+1)

DW, that’s what it’s there for.

On the other hand, I made a small error. In practice, I think running the HTTP host on the client is the only choice, because that lets the game server pair the API key to the client’s network address, whereas otherwise there would be a security risk.

Reply
Alaskan Druid1 day ago

Thank you! It turns out, after going through the API some more. Since its a free game, it will never show up as owned/purchased via API, so there is no way to determine if a person owns a copy of the game via API. So that part is worthless in my case. However, the user_id is as different story, so I can at least check that.


Thank you for your replies.

Reply
AboutFAQBlogContact us
Copyright © 2025 itch corp · Directory · Terms · Privacy · Cookies