How to Implement Server Authority in Your Multiplayer Game Using LootLocker

Unreal Engine
Server
Multiplayer
Author image
Erik Bylund5 min read
Cover image
Table of contents
Share

Implementing server authority is one of the most important steps you can take to secure your multiplayer game. By ensuring that all critical game logic and sensitive actions are handled on your server, you can prevent cheating, protect player data, and create a fairer, more robust experience for everyone.

In this guide, we’ll show you how to use LootLocker’s Token Exchange feature to achieve true server authority in your Unreal Engine multiplayer game.

Why Server Authority?

In the land of games, server authority means that the server, not the client, has the final say on what happens in the game. In real time multiplayer, this is often related to netcode and makes sure that the actions taken by different clients at different times are executed in a way that is consistent and coherent for all players. Add in ping, packet drops, and all other fun networking stuff and you've got a whole profession to make sure it works correctly. When it comes to asynchronous gameplay, this means that when a client does something that would trigger a persistent change to the game state or world then that is verified by your game server before any persistent actions are taken. This can be things like beating a boss, clearing a level, or opening a loot box. This prevents exploits like fake score submissions, unauthorized currency changes, or progression hacks. With server authority, only your server code can perform sensitive actions on behalf of players.

How Token Exchange Enables Server Authority

LootLocker’s Token Exchange feature enables these advanced use cases by allowing your server to act on behalf of a player. By securely exchanging a client session token for a server-authorized token the server has full access to both LootLocker's Server and Game API for the player. This means you can move all crucial write calls like submitting scores, updating progressions, or awarding currency from the client to your server.

Example: Verified UGC

In games such as Little Big Planet or Super Mario Maker, a lot of the games' replayability comes from the love and efforT that the players themselves put into adding content. This is something you can add to your game with LootLocker's User Generated Content support, but until now it all had to be done from the client. With token exchange however you can evaluate the content on your server to make sure it holds up to your games standards, before submitting it to LootLocker on behalf of the player.

Example: Secure Leaderboard Submissions

Suppose you’re running a competitive shooter like Counter Strike or Apex Legends. The high demand for fairness that competitive games carry with them means that the game client can not be allowed to decide who had which kill. So instead of letting the client submit scores directly (which could be faked), you have the server validate each kill (or other scoring moments depending on your game) and then submit the score using the exchanged token. This keeps your leaderboards fair and your players happy.

Example: Server-Driven Inventories

In a co-op RPG such as Diablo a core mechanic of the game is to find and improve your gear. This means that you often want your game to award loot or drops to players. But doing this on the client will undoubtedly lead to timing conflicts and item duplication. Because of this you commonly want to award items only after the server verifies that an enemy was defeated, who opened a chest, or who picked up an item. With Token Exchange, your server can alter the player’s inventory directly, ensuring no one gets rewards they didn’t earn.

Step-by-Step: Implementing Server Authority with LootLocker

  1. Server Setup: Your game server runs both the LootLocker Unreal SDK and the LootLocker Unreal Server SDK.
  2. Client Authenticates: The player logs in using their preferred method (Steam, Epic, etc.) via the LootLocker Unreal SDK.
  3. Token Handoff: The client sends their LootLocker session token to your server.
  4. Token Exchange: Use the Server SDK to exchange the session token for a server-authorized (impersonated) token.
  5. Player Initialization: Use the new token to initialize a player context in the Unreal Client SDK on your server.
  6. Perform Actions Server-Side: Make all sensitive API calls (like submitting scores, updating progressions, or awarding currency) from your server using the server-authorized token. The server can now make any call to the LootLocker Game API on behalf of the player, securely!

For more detailed instructions, refer to our user documentation.

Best Practices

  • Never trust the client with sensitive actions. Always validate and perform these actions on your server.
  • Keep your Server SDKs up to date to benefit from the latest security and feature improvements.
  • Log and monitor server actions for auditing and debugging.

By following this guide and using LootLocker’s Token Exchange, you can implement true server authority in your multiplayer game—making it more secure, fair, and fun for everyone.

For more details, visit our documentation or join the conversation on Discord.

Stay up to date.

Join our newsletter and get these posts sent directly to your inbox.