Skip to main content
PlayFlow supports authenticating players who connect through the Lobby and Matchmaking system. You configure an auth provider for your project via the engine API, and PlayFlow validates player identity tokens before allowing lobby and matchmaking operations.

Prerequisites

  • A PlayFlow project with an API key. Player-token verification only runs for client keys (pfclient_*, the key you ship in your game build). See Sending the Player Token for why the key type matters.
  • A server key (pf_*) to configure the provider — updating project settings requires a server key (a client key returns 403).
  • If you use a verified provider, a way for your game client to obtain a token (a JWT, PlayFab entity token, or Steam session ticket).

How It Works

When a player connects to a lobby or enters matchmaking with a client key, their game client sends an identity token in the x-player-token header. PlayFlow validates that token against your configured provider, creates or updates a player record, and grants access to the session. When your project uses the default none provider, PlayFlow instead trusts the x-player-id header verbatim.
1

Configure your auth provider

Set the provider on your project with a server key via POST /api/v3/projects/settings. See API Configuration below.
2

Get a token from your auth provider

Your game client authenticates with your chosen provider and receives a token — a JWT, PlayFab entity token, or Steam session ticket.
3

Send the token with requests

Include the token in the x-player-token header when your client connects to lobbies or matchmaking.
4

PlayFlow validates and tracks the player

PlayFlow verifies the token, creates or updates a player record with the provider’s user ID, and grants access. You can view authenticated players in the Players tab on the dashboard.

Auth Providers

PlayFlow supports four authentication providers. Choose the one that matches your game’s identity system.
No server-side verification. In none mode, the player’s identity comes from the x-player-id header, which PlayFlow trusts verbatim. The x-player-token header is not consulted in this mode.This is the default for all projects. It is suitable for development and testing but should not be used in production.

Configuration

No configuration is needed. All new projects start with this provider.

Behavior

  • Send the player’s unique identifier in the x-player-id header on every player-scoped lobby and matchmaking request.
  • The x-player-id value is used directly as the player identity — there is no verification.
  • Player-scoped requests without an x-player-id header fail with 400 Missing x-player-id header.
  • x-player-token is ignored in none mode.
None mode performs no verification. Any client can impersonate any player by sending an arbitrary x-player-id value. Use a verified provider (Custom JWT, PlayFab, or Steam) before shipping to production.

API Configuration

Configure player authentication by writing an auth_config to your project settings via the engine API. This is the only supported way to set the provider.
Updating project settings requires a server key (pf_*). A client key (pfclient_*) returns 403. Keep your server key server-side — never ship it in a game build.
You can verify the current configuration by reading your project settings:
The response includes your current auth_config alongside other project settings. Changes take effect immediately for all new player connections.

Sending the Player Token

Token verification only runs for client keys (pfclient_*). Ship a client key in your game build so PlayFlow verifies each player’s x-player-token against your provider and derives identity from the verified token.A server key (pf_*) bypasses verification even when a provider is configured — it is trusted to assert identity directly via x-player-id (for trusted server-side matchmakers and admin tooling). If you test a verified provider with a server key, verification silently passes through and you may wrongly conclude it works.
Once your provider is configured, your game client (using a client key) must include the player’s identity token in the x-player-token header on every player-scoped lobby and matchmaking request. In none mode, send x-player-id instead (no token).
The PlayFlow SDK handles the token header automatically when you set the player token during initialization:

Players Table

Players verified by a provider are automatically tracked in a per-project players table. Each time a player is verified against Custom JWT, PlayFab, or Steam, PlayFlow upserts a record with the following fields: Players are uniquely identified by the combination of project_id and provider_uid. If the same player authenticates again, their existing record is updated rather than duplicated.
none-mode players are not written to the players table — no persisted record is created for them. They may appear transiently in a live lobby or match roster, but only verified-provider players are persisted.
You can view your authenticated players in the Players tab on the project dashboard.

Choosing a Provider

Development / Testing

Use None to get started quickly without any auth infrastructure. Switch to a verified provider before launching.

Existing Auth System

Use Custom JWT if you already have an auth provider (Auth0, Firebase, Supabase, Clerk, or any OIDC-compliant service).

PlayFab Games

Use PlayFab if your game uses Microsoft PlayFab for player management and you want native integration.

Steam Games

Use Steam if your game is distributed on Steam and you want to verify player identity through Steam session tickets.

Next Steps

Lobby Quick Start

Set up lobbies and start using player authentication with the lobby system.

Matchmaking Guide

Add skill-based matchmaking with authenticated players.