PlayFlow Cloud Documentation

PlayFlow supports authenticating players who connect through the Lobby and Matchmaking system. You configure an auth provider in your project settings, and PlayFlow validates player identity tokens before allowing lobby and matchmaking operations.

How It Works

When a player connects to a lobby or enters matchmaking, their game client sends an identity token in the x-player-token header. PlayFlow validates that token against your configured provider, creates or updates a player record, and grants access to the session.

Configure your auth provider

Choose a provider in Project Settings > Player Authentication on the dashboard, or via the API.

Get a token from your auth provider

Your game client authenticates with your chosen provider and receives a token — a JWT, PlayFab entity token, or Steam session ticket.

Send the token with requests

Include the token in the x-player-token header when your client connects to lobbies or matchmaking.

PlayFlow validates and tracks the player

PlayFlow verifies the token, creates or updates a player record with the provider’s user ID, and grants access. You can view authenticated players in the Players tab on the dashboard.

Auth Providers

PlayFlow supports four authentication providers. Choose the one that matches your game’s identity system.

None (Default)
Custom JWT
PlayFab
Steam

No server-side verification. The value of the x-player-token header is used directly as the player identifier. If no header is provided, the request passes through without authentication.This is the default for all projects. It is suitable for development and testing but should not be used in production.

Configuration

No configuration is needed. All new projects start with this provider.

{
  "provider": "none"
}

Behavior

The x-player-token header is optional.
If a token is provided, its raw value becomes the player’s provider_uid.
If no token is provided, the request proceeds without player identity.

None mode performs no verification. Any client can impersonate any player by sending an arbitrary token value. Use a verified provider (Custom JWT, PlayFab, or Steam) before shipping to production.

Validate JWTs from any OIDC-compliant provider using a JWKS (JSON Web Key Set) endpoint. This works with Auth0, Firebase Auth, Supabase Auth, Clerk, and any other provider that publishes a JWKS URL.PlayFlow fetches your public keys from the JWKS endpoint, verifies the JWT signature and expiry, and extracts the sub claim as the player identifier.

Configuration

{
  "provider": "custom_jwt",
  "jwks_url": "https://your-auth-provider.com/.well-known/jwks.json",
  "issuer": "https://your-auth-provider.com",
  "audience": "your-app-id"
}

Field	Required	Description
`jwks_url`	Yes	The URL where your auth provider publishes its public keys.
`issuer`	No	Expected `iss` claim in the JWT. Rejects tokens from other issuers.
`audience`	No	Expected `aud` claim in the JWT. Rejects tokens intended for other apps.

Common JWKS URLs

Provider	JWKS URL
Auth0	`https://YOUR_DOMAIN.auth0.com/.well-known/jwks.json`
Firebase Auth	`https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com`
Supabase Auth	`https://YOUR_PROJECT.supabase.co/auth/v1/.well-known/jwks`
Clerk	`https://YOUR_DOMAIN.clerk.accounts.dev/.well-known/jwks.json`

JWKS keys are cached in memory and rotated automatically when your provider publishes new keys. You do not need to restart or redeploy after a key rotation.

Native integration with Microsoft PlayFab. PlayFlow verifies PlayFab entity tokens (JWTs) against PlayFab’s published JWKS endpoint and extracts the eid (entity ID) claim as the player identifier.

Configuration

{
  "provider": "playfab",
  "title_id": "YOUR_TITLE_ID"
}

Field	Required	Description
`title_id`	Yes	Your PlayFab Title ID (found in the PlayFab Game Manager).

PlayFlow automatically constructs the JWKS URL from your Title ID:

https://{title_id}.playfabapi.com/jwks

Getting a PlayFab Entity Token

In your game client, call GetEntityToken after the player logs in:

PlayFabAuthenticationAPI.GetEntityToken(
    new GetEntityTokenRequest(),
    result => {
        string entityToken = result.EntityToken;
        // Pass this as x-player-token when connecting to PlayFlow
    },
    error => Debug.LogError(error.GenerateErrorReport())
);

Validates Steam authentication tickets via the Steamworks Web API. Unlike the JWT-based providers, this makes an HTTP call to Steam’s servers for each authentication.

Configuration

{
  "provider": "steam",
  "app_id": "YOUR_APP_ID",
  "web_api_key": "YOUR_WEB_API_KEY"
}

Field	Required	Description
`app_id`	Yes	Your Steam Application ID.
`web_api_key`	Yes	Your Steam Web API Key (from the Steamworks partner site).

PlayFlow calls the ISteamUserAuth/AuthenticateUserTicket/v1/ endpoint and extracts the steamid as the player identifier.

Getting a Steam Auth Ticket

In your game client, use the Steamworks API to get a session ticket:

// Using Steamworks.NET
byte[] ticketData = new byte[1024];
uint ticketLength;
HAuthTicket ticket = SteamUser.GetAuthSessionTicket(ticketData, 1024, out ticketLength);
string hexTicket = BitConverter.ToString(ticketData, 0, (int)ticketLength).Replace("-", "");
// Pass hexTicket as x-player-token when connecting to PlayFlow

Your Steam Web API Key is stored in your project settings. It is masked in the dashboard UI but readable by organization admins. Treat it as a secret and do not share it publicly.

Dashboard Configuration

You can configure player authentication from the PlayFlow dashboard.

Navigate to your project and open the Settings page.
Find the Player Authentication section.
Select your provider from the dropdown.
Fill in the required fields for your chosen provider.
Click Save.

The configuration takes effect immediately for all new player connections.

API Configuration

You can also configure player authentication programmatically via the engine API.

curl -X POST https://api.playflowcloud.com/api/v3/projects/settings \
  -H "api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "auth_config": {
      "provider": "none"
    }
  }'

You can verify the current configuration by reading your project settings:

curl https://api.playflowcloud.com/api/v3/projects/settings \
  -H "api-key: YOUR_API_KEY"

The response includes your current auth_config alongside other project settings.

Sending the Player Token

Once your provider is configured, your game client must include the player’s identity token in the x-player-token header on every lobby and matchmaking request.

Unity
REST API

The PlayFlow SDK handles the token header automatically when you set the player token during initialization:

// After authenticating with your provider, pass the token to PlayFlow
string playerToken = GetTokenFromYourAuthProvider();

PlayFlowLobbyManagerV2.Instance.Initialize(playerToken, () => {
    Debug.Log("PlayFlow SDK initialized with authenticated player.");
});

Include the token as a header alongside your API key:

curl https://api.playflowcloud.com/api/v3/lobbies \
  -H "api-key: YOUR_API_KEY" \
  -H "x-player-token: PLAYER_IDENTITY_TOKEN"

Players Table

Authenticated players are automatically tracked in a per-project players table. Each time a player authenticates, PlayFlow upserts a record with the following fields:

Field	Description
`id`	Unique player ID (UUID), auto-generated by PlayFlow.
`provider`	The auth provider that verified this player (`none`, `custom_jwt`, `playfab`, `steam`).
`provider_uid`	The player’s identifier from the auth provider (e.g., JWT `sub`, PlayFab `eid`, Steam `steamid`).
`display_name`	Display name extracted from the token, if available.
`metadata`	Provider-specific metadata (e.g., `owner_steamid` for Steam, `title_id` for PlayFab).
`last_seen_at`	Timestamp of the player’s most recent authentication.

Players are uniquely identified by the combination of project_id and provider_uid. If the same player authenticates again, their existing record is updated rather than duplicated. You can view your authenticated players in the Players tab on the project dashboard.

Choosing a Provider

Development / Testing

Use None to get started quickly without any auth infrastructure. Switch to a verified provider before launching.

Existing Auth System

Use Custom JWT if you already have an auth provider (Auth0, Firebase, Supabase, Clerk, or any OIDC-compliant service).

PlayFab Games

Use PlayFab if your game uses Microsoft PlayFab for player management and you want native integration.

Steam Games

Use Steam if your game is distributed on Steam and you want to verify player identity through Steam session tickets.

Getting Started

Game Servers

Lobbies & Matchmaking

Platform

Guides

Fundamentals

Player Authentication

How It Works

Auth Providers

Configuration

Behavior

Configuration

Common JWKS URLs

Configuration

Getting a PlayFab Entity Token

Configuration

Getting a Steam Auth Ticket

Dashboard Configuration

API Configuration

Sending the Player Token

Players Table

Choosing a Provider

Development / Testing

Existing Auth System

PlayFab Games

Steam Games

Next Steps

Lobby Quick Start

Matchmaking Guide

Getting Started

Game Servers

Lobbies & Matchmaking

Platform

Guides

Fundamentals

​How It Works

​Auth Providers

​Configuration

​Behavior

​Configuration

​Common JWKS URLs

​Configuration

​Getting a PlayFab Entity Token

​Configuration

​Getting a Steam Auth Ticket

​Dashboard Configuration

​API Configuration

​Sending the Player Token

​Players Table

​Choosing a Provider

Development / Testing

Existing Auth System

PlayFab Games

Steam Games

​Next Steps

Lobby Quick Start

Matchmaking Guide

How It Works

Auth Providers

Configuration

Behavior

Configuration

Common JWKS URLs

Configuration

Getting a PlayFab Entity Token

Configuration

Getting a Steam Auth Ticket

Dashboard Configuration

API Configuration

Sending the Player Token

Players Table

Choosing a Provider

Next Steps