Home/ Questions/Q 6858359
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T02:08:54+00:00

I’m creating my own API for a game-statistics system (in PHP). And I want

  • 0

I’m creating my own API for a game-statistics system (in PHP).
And I want users to be able to log-in to the system from their game.

Basically, the game is made with GM:HTML5 (GameMaker for HTML5) which means it’s only obfuscated, but still readable with any JavaScript debugger.

For it to work, users will have to include a PHP library which will connect to my API system.
But, I want to limit access by using API Keys.

If I would send the API key with the request, it will be visible (eg. by using Firefox’s Developer Console). And with that API key, anyone could “log-in” and submit statistics data.

What I’d like to do, is send the domain where the game is hosted, in encrypted form with the login request. (Just a simple GET request to the server from my PHP library). And then the server would have to decrypt that string (the encrypted domain / IP) and check if it matches the API key which was also send with the request.

But I would like to know, how secure this actually is.

And if insecure, what would be a better way?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Option 2:

    Write your own protocol. Make sure to consider all of these factors:

    • Data must not be editable on a proxy level (sign all fields)
    • The request must not be replayable (add a random nonce that must be unique)
    • The request must be executed immediately (add a time parameter)

    You want an API system, so include an API key.

    • 0