Prerequisites
- A PlayFlow project with an API key. Player-token verification only runs for client keys (
pfclient_*, the key you ship in your game build). See Sending the Player Token for why the key type matters. - A server key (
pf_*) to configure the provider — updating project settings requires a server key (a client key returns403). - If you use a verified provider, a way for your game client to obtain a token (a JWT, PlayFab entity token, or Steam session ticket).
How It Works
When a player connects to a lobby or enters matchmaking with a client key, their game client sends an identity token in thex-player-token header. PlayFlow validates that token against your configured provider, creates or updates a player record, and grants access to the session. When your project uses the default none provider, PlayFlow instead trusts the x-player-id header verbatim.
1
Configure your auth provider
Set the provider on your project with a server key via
POST /api/v3/projects/settings. See API Configuration below.2
Get a token from your auth provider
Your game client authenticates with your chosen provider and receives a token — a JWT, PlayFab entity token, or Steam session ticket.
3
Send the token with requests
Include the token in the
x-player-token header when your client connects to lobbies or matchmaking.4
PlayFlow validates and tracks the player
PlayFlow verifies the token, creates or updates a player record with the provider’s user ID, and grants access. You can view authenticated players in the Players tab on the dashboard.
Auth Providers
PlayFlow supports four authentication providers. Choose the one that matches your game’s identity system.- None (Default)
- Custom JWT
- PlayFab
- Steam
No server-side verification. In
none mode, the player’s identity comes from the x-player-id header, which PlayFlow trusts verbatim. The x-player-token header is not consulted in this mode.This is the default for all projects. It is suitable for development and testing but should not be used in production.Configuration
No configuration is needed. All new projects start with this provider.Behavior
- Send the player’s unique identifier in the
x-player-idheader on every player-scoped lobby and matchmaking request. - The
x-player-idvalue is used directly as the player identity — there is no verification. - Player-scoped requests without an
x-player-idheader fail with400 Missing x-player-id header. x-player-tokenis ignored innonemode.
API Configuration
Configure player authentication by writing anauth_config to your project settings via the engine API. This is the only supported way to set the provider.
auth_config alongside other project settings. Changes take effect immediately for all new player connections.
Sending the Player Token
Token verification only runs for client keys (
pfclient_*). Ship a client key in your game build so PlayFlow verifies each player’s x-player-token against your provider and derives identity from the verified token.A server key (pf_*) bypasses verification even when a provider is configured — it is trusted to assert identity directly via x-player-id (for trusted server-side matchmakers and admin tooling). If you test a verified provider with a server key, verification silently passes through and you may wrongly conclude it works.x-player-token header on every player-scoped lobby and matchmaking request. In none mode, send x-player-id instead (no token).
- Unity
- REST API (verified provider)
- REST API (None mode)
The PlayFlow SDK handles the token header automatically when you set the player token during initialization:
Players Table
Players verified by a provider are automatically tracked in a per-project players table. Each time a player is verified against Custom JWT, PlayFab, or Steam, PlayFlow upserts a record with the following fields:
Players are uniquely identified by the combination of
project_id and provider_uid. If the same player authenticates again, their existing record is updated rather than duplicated.
none-mode players are not written to the players table — no persisted record is created for them. They may appear transiently in a live lobby or match roster, but only verified-provider players are persisted.Choosing a Provider
Development / Testing
Use None to get started quickly without any auth infrastructure. Switch to a verified provider before launching.
Existing Auth System
Use Custom JWT if you already have an auth provider (Auth0, Firebase, Supabase, Clerk, or any OIDC-compliant service).
PlayFab Games
Use PlayFab if your game uses Microsoft PlayFab for player management and you want native integration.
Steam Games
Use Steam if your game is distributed on Steam and you want to verify player identity through Steam session tickets.
Next Steps
Lobby Quick Start
Set up lobbies and start using player authentication with the lobby system.
Matchmaking Guide
Add skill-based matchmaking with authenticated players.