Skip to main content

On Sale: GamesAssetsToolsTabletopComics
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines

Can't anybody pass any user that has bought the game?
That's bypassing the check.

(2 edits)
Can't anybody pass any user that has bought the game?

Nope.

The Itch application passes an environment variable to your application that contains a session API key. It's unique to the user and dare I say impossible to forge. You then take that api key, and pass it as an authorization header to the https://itch.io/api/1/jwt/me endpoint. If you get a user JSON object back, then the key is valid and you can trust that they are who they say they are.

If you get an object back that contains anything else, like an error, then it's not valid.

I finally got this set up tonight. Here is a sample of what might be returned upon verifying a key against the API:

POST /api/1/jwt/me HTTP/1.1
Host: itch.io
Authorization: The ITCHIO_API_KEY environment variable sent to your game
{
  "user": {
    "gamer": false,
    "id": 509014,
    "url": "https://dobydigital.itch.io",
    "username": "dobydigital",
    "developer": true,
    "press_user": false
  }
}

Here's what it might look like if you send an invalid token through:

{
  "errors": [
    "invalid base64"
  ]
}
{
  "errors": [
    "header not HS256"
  ]
}

Basically anything with error in it is invalid, so don't authenticate the user.

The only way someone is gonna get that API key is if the player launching the game figures out what the key is, by looking in the environment, and gives it to someone else.

That's why I mentioned you can get fancy and prevent replay attacks by verifying the API key against a service that YOU own. You can prevent it from being used again by storing it in a database somewhere or something. Get creative.