Skip to content

Authentication

Authentication

DedicatedServerMod can require each remote client to complete a Steam ticket handshake before join flow is finalized. This ensures only authorized Steam users can connect to your server.

Authentication Providers

The authProvider setting determines how Steam tickets are validated. Three options are available:

None

When to use: Private LAN servers, testing environments, or when you want zero authentication overhead.

Pros: - No setup required - No Steam API dependencies - Fastest connection times - Works offline

Cons: - No player identity verification - Players can impersonate others - No protection against unauthorized access - Not suitable for public servers

Configuration: 

{
  "requireAuthentication": false,
  "authProvider": "None"
}

When to use: Public dedicated servers, Docker deployments, production environments.

How it works: Validates client tickets through Steam Game Server APIs using BeginAuthSession callbacks. The server logs into Steam as a game server and validates tickets directly with Valve's authentication system.

Pros: - Recommended by Steam for dedicated servers - Direct Steam integration with low latency - Supports server browser listing - Works with both anonymous and persistent server tokens - Handles ticket validation automatically - Most reliable for dedicated hosting

Cons: - Requires Steam Game Server initialization - Server must be able to reach Steam backend services - Requires proper network configuration

Configuration (Anonymous Login): 

{
  "requireAuthentication": true,
  "authProvider": "SteamGameServer",
  "authTimeoutSeconds": 15,
  "authAllowLoopbackBypass": true,
  "steamGameServerLogOnAnonymous": true,
  "steamGameServerQueryPort": 27016,
  "steamGameServerVersion": "0.2.1-beta",
  "steamGameServerMode": "Authentication"
}

Configuration (Persistent Token):

For production servers, you can obtain a persistent game server token from: https://steamcommunity.com/dev/managegameservers

{
  "requireAuthentication": true,
  "authProvider": "SteamGameServer",
  "authTimeoutSeconds": 15,
  "authAllowLoopbackBypass": true,
  "steamGameServerLogOnAnonymous": false,
  "steamGameServerToken": "YOUR_GAME_SERVER_TOKEN_HERE",
  "steamGameServerQueryPort": 27016,
  "steamGameServerVersion": "0.2.1-beta",
  "steamGameServerMode": "Authentication"
}

Steam Game Server Mode Options:

Mode Description Use Case
NoAuthentication Don't authenticate or list in server browser Private testing only
Authentication Authenticate users and list in server browser Recommended for most servers
AuthenticationAndSecure Authentication + secure mode + server browser High-security public servers

SteamWebApi

Status: Available in configuration but not fully implemented in the current version.

When to use: Currently not recommended until full implementation is complete.

How it works (when implemented): Would validate tickets through Steam's Web API using the AuthenticateUserTicket endpoint over HTTPS.

Pros (theoretical): - Stateless validation - No persistent server connection to Steam - Could work with web-based admin panels - HTTP-based, potentially easier for some firewall configurations

Cons: - Requires Steam Web API key - Higher latency than game server API - Additional HTTP overhead - Currently incomplete implementation - Requires API key management

Configuration (for future use): 

{
  "requireAuthentication": true,
  "authProvider": "SteamWebApi",
  "authTimeoutSeconds": 15,
  "authAllowLoopbackBypass": true,
  "steamWebApiKey": "YOUR_STEAM_WEB_API_KEY",
  "steamWebApiIdentity": "DedicatedServerMod"
}

Note: Do not use SteamWebApi in production. Use SteamGameServer instead.

Configuration Keys

Core Authentication Settings

Key Type Default Description
requireAuthentication bool false Enable/disable authentication handshake
authProvider string "SteamGameServer" Authentication backend: None, SteamWebApi, SteamGameServer
authTimeoutSeconds int 15 Timeout for handshake completion (1-120 seconds)
authAllowLoopbackBypass bool true Allow local loopback/ghost host to bypass auth

Steam Game Server Settings

Key Type Default Description
steamGameServerLogOnAnonymous bool true Use anonymous Steam game server login
steamGameServerToken string "" Game server login token (when anonymous is disabled)
steamGameServerQueryPort int 27016 Steam query/listing port
steamGameServerVersion string "0.2.1-beta" Version string announced to Steam
steamGameServerMode string "Authentication" Mode: NoAuthentication, Authentication, AuthenticationAndSecure
Key Type Default Description
steamWebApiKey string "" Web API key for ticket validation
steamWebApiIdentity string "DedicatedServerMod" Identity string for Web API flows

Runtime Behavior

Authentication Flow

  1. Remote client connects to server
  2. Server sends auth challenge with nonce and provider metadata
  3. Client generates Steam auth ticket
  4. Client submits ticket with nonce to server
  5. Server validates ticket with configured provider
  6. If validation fails (invalid ticket, timeout, ban), connection is disconnected
  7. While not authenticated, server-side command execution is rejected

Loopback Bypass

When authAllowLoopbackBypass is enabled (default), the local ghost host connection bypasses authentication. This is necessary for the internal server process to function properly.

Do not disable this unless you understand the implications.

Ban System

Players in the bannedPlayers list (Steam ID64 strings) are rejected during authentication, even if their tickets are valid.

{
  "bannedPlayers": [
    "76561198012345678",
    "76561198087654321"
  ]
}

Command-Line Overrides

You can override authentication settings via command-line arguments:

# Enable authentication
--require-authentication
--require-auth

# Set auth provider
--auth-provider <none|steam_web_api|steam_game_server>

# Set timeout
--auth-timeout <seconds>

# Steam game server settings
--steam-gs-anonymous
--steam-gs-token <token>

Example: 

ScheduleI.exe --require-authentication --auth-provider steam_game_server --auth-timeout 30

Troubleshooting

Authentication Always Times Out

Symptoms: Clients can't connect, timeout after 15 seconds

Solutions: 1. Check that Steam is running on client machines 2. Verify server can reach Steam backend (not behind restrictive firewall) 3. Ensure steamGameServerQueryPort is not blocked 4. Try increasing authTimeoutSeconds to 30 5. Check MelonLoader logs for specific errors

Server Won't Start with Authentication

Symptoms: Server crashes or fails during startup

Solutions: 1. Verify steamGameServerMode is valid (NoAuthentication, Authentication, or AuthenticationAndSecure) 2. If using persistent token, verify token is valid 3. Check that Steam client is not running on the same machine (conflicts with game server API) 4. Review MelonLoader logs for Steam initialization errors

Players Can't Connect After Enabling Auth

Symptoms: Previously working server now rejects all connections

Solutions: 1. Ensure clients are using Steam version of the game 2. Verify clients have valid Steam sessions 3. Check that requireAuthentication is true on server 4. Confirm firewall isn't blocking Steam auth traffic 5. Try temporarily disabling authentication to isolate the issue

"SteamWebApi Provider Not Implemented" Error

Symptoms: Error message about SteamWebApi

Solution: Change authProvider to "SteamGameServer" (recommended) or "None" (testing only).

Best Practices

For Public Servers

  1. ✅ Use authProvider: "SteamGameServer"
  2. ✅ Set requireAuthentication: true
  3. ✅ Use steamGameServerMode: "Authentication"
  4. ✅ Keep authAllowLoopbackBypass: true
  5. ✅ Maintain bannedPlayers list for problem users
  6. ✅ Use persistent token for production servers

For Private Servers

  1. Authentication can be disabled (requireAuthentication: false) if server is LAN-only
  2. Still recommended to use authentication for accountability
  3. Use whitelist via operators or admins lists if needed

For Docker Deployments

  1. Use SteamGameServer provider
  2. Ensure container can reach Steam backend
  3. Expose steamGameServerQueryPort in Docker config
  4. Use persistent token for production
  5. Store token in environment variable or Docker secret

For Development/Testing

  1. Disable authentication for faster iteration
  2. Re-enable before production deployment
  3. Test with authentication enabled before public release

Security Considerations

API Keys

  • Never commit Steam API keys or game server tokens to version control
  • Use environment variables or secure configuration management
  • Rotate tokens periodically for production servers

Loopback Bypass

The authAllowLoopbackBypass setting allows the internal ghost host to connect without authentication. This is required for normal operation. Disabling it will break the server.

Ban Management

  • Use Steam ID64 format (e.g., 76561198012345678)
  • Ban system is enforced during authentication
  • Banned players cannot connect even with valid tickets
  • Maintain ban list in server_config.json or use commands