Skip to main content

Player Authentication


The Lobby Service needs a way to authenticate players to validate CreateLobby requests and enforce rate limiting. The Lobby Service uses token based authentication. To get a player token you can either use our built-in auth providers or use custom authentication.

Built-in auth providers

Currently, we offer 3 built-in providers to authenticate players. They are accessible via our Auth Service and they all return a valid player token that you use in CreateLobby calls.


Anonymous and Nickname auth tokens can not be easily shared across player devices. If you need player auth to be more secure then we recommend using the Google auth provider or a custom auth provider.


  1. Enable anonymous auth for your application (enabled by default). Call UpdateApp and pass anonymous in the authConfiguration.
"authConfiguration": {
"anonymous": { }
  1. LoginAnonymous returns a unique player token with a random userId.


  1. Enable nickname auth for your application.. Call UpdateApp and pass nickname in the authConfiguration.
"authConfiguration": {
"nickname": { }
  1. LoginNickname returns a unique player token with a specified nickname as userId.


  1. Add Google sign-in in your game client.
  2. Enable google auth for your application. Call UpdateApp and pass google in the authConfiguration with your Google clientId.
"authConfiguration": {
"google": {
"clientId": "your-client-id"
  1. Player signs in and Google will generate an idToken.
  2. LoginGoogle returns a unique player token with a specified idToken as userId.

Custom auth provider

Our built-in providers are a convenient ways to generate player tokens. However, we also offer a flexible way for you to generate tokens in your own auth server. All you need to do is provide a player token in the specified format.

You can disable all built-in authentication for your application by calling UpdateApp and passing in an empty object as the authConfiguration.

"authConfiguration": { }   

Token format

Player tokens must be JSON web tokens (JWTs) and their body must have an id field corresponding to the player's unique userId. They must be signed with your application's appSecret.

jwt.sign({"id": "my-user-id"}, appSecret)

You can grab your appSecret from the Hathora Cloud Console.