| DedicatedServerMod Documentation

Authentication

DedicatedServerMod can require each remote client to complete a Steam ticket handshake before join flow is finalized. This ensures only authorized Steam users can connect to your server.

authProvider is the canonical switch for authentication in current builds. The older requireAuthentication flag is still parsed for backward compatibility, but new configs should use authProvider directly.

Authentication Providers

The authProvider setting determines how Steam tickets are validated. Three options are available.

None

When to use: Private LAN servers, local testing, or fast iteration where Steam identity validation is unnecessary.

Pros:

No external Steam validation dependency.
Fastest join flow.
Works for offline or local-only setups.

Cons:

No player identity verification.
Not suitable for public servers.

Configuration:

[authentication]
authProvider = 'None'

SteamGameServer (Recommended)

When to use: Public dedicated servers, Docker deployments, and normal production hosting.

How it works: The server logs into Steam as a game server and validates client tickets through the game server API.

Pros:

Recommended by Steam for dedicated servers.
Low-latency validation path.
Works with anonymous or persistent game server login.
Best fit for public hosting.

Cons:

Requires Steam backend reachability.
Requires valid Steam game server setup.

Configuration (anonymous login):

[authentication]
authProvider = 'SteamGameServer'
authTimeoutSeconds = 15
authAllowLoopbackBypass = true
steamGameServerLogOnAnonymous = true
steamGameServerQueryPort = 27016
steamGameServerVersion = '0.3.0-beta'
steamGameServerMode = 'Authentication'

Configuration (persistent token):

[authentication]
authProvider = 'SteamGameServer'
authTimeoutSeconds = 15
authAllowLoopbackBypass = true
steamGameServerLogOnAnonymous = false
steamGameServerToken = 'YOUR_GAME_SERVER_TOKEN_HERE'
steamGameServerQueryPort = 27016
steamGameServerVersion = '0.3.0-beta'
steamGameServerMode = 'Authentication'

Steam Game Server Mode options:

Mode	Description	Use Case
`NoAuthentication`	Do not authenticate users and do not list in the server browser	Private testing only
`Authentication`	Authenticate users and list in the server browser	Recommended for most servers
`AuthenticationAndSecure`	Authenticate users, list in the server browser, and enable secure mode	Higher-security public servers

SteamWebApi

Status: Available in configuration, but not fully implemented in the current version.

When to use: Not recommended for production today.

Configuration (future-facing only):

[authentication]
authProvider = 'SteamWebApi'
authTimeoutSeconds = 15
authAllowLoopbackBypass = true
steamWebApiKey = 'YOUR_STEAM_WEB_API_KEY'
steamWebApiIdentity = 'DedicatedServerMod'

Use SteamGameServer instead unless you are explicitly testing this incomplete path.

Configuration Keys

Core Authentication Settings

Key	Type	Default	Description
`authProvider`	`string`	`"None"`	Authentication backend: `None`, `SteamWebApi`, `SteamGameServer`
`authTimeoutSeconds`	`int`	`15`	Timeout for handshake completion (1-120 seconds)
`authAllowLoopbackBypass`	`bool`	`true`	Allow local loopback/ghost host to bypass auth

Steam Game Server Settings

Key	Type	Default	Description
`steamGameServerLogOnAnonymous`	`bool`	`true`	Use anonymous Steam game server login
`steamGameServerToken`	`string`	`""`	Game server login token when anonymous login is disabled
`steamGameServerQueryPort`	`int`	`27016`	Steam query/listing port
`steamGameServerVersion`	`string`	`"0.3.0-beta"`	Version string announced to Steam
`steamGameServerMode`	`string`	`"Authentication"`	Mode: `NoAuthentication`, `Authentication`, `AuthenticationAndSecure`

Steam Web API Settings

Key	Type	Default	Description
`steamWebApiKey`	`string`	`""`	Web API key for ticket validation
`steamWebApiIdentity`	`string`	`"DedicatedServerMod"`	Identity string for Web API flows

Runtime Behavior

Authentication Flow

Remote client connects to the server.
Server sends an auth challenge with nonce and provider metadata.
Client generates a Steam auth ticket.
Client submits the ticket with the nonce.
Server validates the ticket with the configured provider.
If validation fails (invalid ticket, timeout, ban, provider error), the connection is rejected.
While not authenticated, server-side command execution is rejected.

Loopback Bypass

When authAllowLoopbackBypass is enabled, the local ghost host connection bypasses authentication. This is required for normal dedicated-server operation. Disabling it can break server startup and headless gameplay flow.

Ban System

Players with ban entries in permissions.toml are rejected during authentication, even if their Steam tickets are otherwise valid.

[ban.76561198012345678]
subjectId = '76561198012345678'
createdAtUtc = '2026-03-29T12:00:00.0000000Z'
createdBy = 'console'
reason = 'Repeated griefing'

Command-Line Overrides

You can override authentication settings via command-line arguments:

--require-authentication
--require-auth
--disable-authentication
--disable-auth
--no-auth
--auth-provider <none|steam_web_api|steam_game_server>
--auth-timeout <seconds>
--steam-gs-anonymous
--steam-gs-token <token>

Example:

ScheduleI.exe --require-authentication --auth-provider steam_game_server --auth-timeout 30

The --require-authentication flag is a convenience alias. New persisted configs should still prefer authProvider.

Troubleshooting

Authentication always times out

Symptoms: Clients cannot finish connecting and fail after the timeout window.

Checks:

Confirm Steam is running on client machines.
Verify the server can reach Steam backend services.
Ensure steamGameServerQueryPort is not blocked.
Increase authTimeoutSeconds slightly if your environment is slow.
Review MelonLoader logs for provider-specific failures.

Players cannot connect after enabling auth