Docs/Player Authentication Modes
Features

Player Authentication Modes

TurnKit supports three ways for players to authenticate. OPEN is the default and fastest option.

Quick Comparison

ModeBest forWhat you needPlayer verification
OPENQuick testing and prototypesNothingNone
TURNKIT_AUTHSimple email login without building a backendSMTP settings (host, port, username, password, from address)Email + OTP -> player JWT
SIGNEDGames with existing player authenticationYour own backend + secret keySigned exchange -> player JWT

OPEN Mode

No authentication is required. Players only need your client key to join queues and matches.

This is the fastest way to start testing, public demos, or games where you prefer zero login friction.

Note: Do not use OPEN mode with auto-upgrade billing. Malicious users could create many fake players and consume your free 20 CCU limit.

TURNKIT_AUTH Mode

TurnKit manages player login using email + OTP.

How to implement

  1. Set mode to TURNKIT_AUTH in the dashboard.
  2. Configure your SMTP settings. A quick option is setting up Brevo as your email provider.
  3. Client calls /v1/client/auth/otp/request and /v1/client/auth/otp/verify.
  4. Use the returned player JWT in Authorization: Bearer <player-jwt> for normal client calls.
OTP endpoints expect Content-Type: application/json. Default backend limits are currently 5 requests per 10 minutes for /v1/client/auth/otp/request and 10 requests per 10 minutes for /v1/client/auth/otp/verify, typically scoped by game, email, and client IP.

SIGNED Mode

Your backend signs player identities.

How to implement

  1. Set mode to SIGNED in the dashboard.
  2. Store secret key only on your backend.
  3. Backend computes HMAC-SHA256 over playerId + "\n" + timestamp + "\n" + nonce and returns playerId, timestamp, nonce, and signature to the client.
  4. timestamp is Unix epoch seconds encoded as a string.
  5. nonce must be a random URL-safe string, not a time-based value. The server currently requires [A-Za-z0-9_-]{16,128}.
  6. Client calls POST /v1/client/auth/signed/exchange with that payload. TurnKit verifies signature, replay protection, and freshness before issuing a player JWT.
  7. Use that player JWT in Authorization: Bearer <player-jwt> for normal client calls.

OPEN is the only mode that still sends X-Player-Id directly on client requests.

All modes work with MatchWithAnyone().