Multiplayer API for Itch.io

[HeadClot]

Are there any plans for a multiplayer API for Itch? Further more are there any plans for an form of official plugins for Unity and Unreal Engine?

So we can easily integrate the API into our engine of choice.

Just curious, HeadClot

[fasterthanlime]

We've discussed various APIs — for now, games that enable multi-player on itch just use the itch.io API for authentication / proof of purchase, sometimes with a manifest to enable seamless login from the app.

Additional APIs would build up on that. What did you have in mind in particular?

[Ragzouken]

to chime in, the thing i most need (and currently rely on unity's free stuff for) is server list and natpunching/relay services

[leafo]

Hey @Ragzouken

Are there services that provide this already? What do people do now? I want to start doings some research to see the state of things.

[Ragzouken]

The ones I know of are: Unity - https://unity3d.com/services/multiplayer Photon - https://www.photonengine.com/en-US/Photon and I think steam does too but not much is public there

[quyse]

Steam SDK is not public, but as far as I remember all you need to do to get access is to login with your Steam account and accept license agreement here: https://partner.steamgames.com/ They basically have game lobby API (getting list of lobbies, joining/leaving lobbies, chatting, etc) and matchmaking API (search for lobbies based on game-provided skill level of players). They also provide P2P networking API which tries to connect peers directly using NAT hole punching, etc, or uses Steam relay servers if direct connection is not possible.

[notNSANE]

I've been commenting on this particular subject since a while ago, on chats and forums. In a perfect world, we would have an open API that handles handshakes freely, that anyone can use, and that any IDE/game IDE/framework can connect to use to build upon whatever they want to build.

Currently, multiplayer games connectivity are privately handled by Sony, Microsoft, Valve, Google and some others that I'm forgetting about. While convenient, it makes the prospect of digital obsolesce/death much much higher - if any of these services cease to exist (not by lack of users, but by suits that suddenly decided that they want to invest in something else), so does the games. Like what happened with Games for Windows Live.

The problem I see with an open implementation of it, are the costs related to it, maintaining these networks are super costly in time, production and maintenance; more so if the service might be provided for free like Steamworks.

Risks mentioned, it would be godly if some system (free or inexpensive in comparison) could potentially handle handshakes, achievements and other multiplayer / online / social aspects with an open API and infrastructure. I can imagine making a game, connecting it to this API or server, then let it handle handshakes and/or achievements, which are then pulled by Steam, Uplay, itch.io and Google Play. One can dream, right?

(sorry for the long post, but might be useful for brainstorming 😛)

BTW, googling I found this article: http://blog.soom.la/2016/02/top-10-parse-alternatives-game-backend.html And this service: https://playerio.com/

Which are mostly focused on mobile. Not sure if they can actually be useful for what we want, but worth mentioning.

[TangentFoxy]

@notnsane Well the solution (at least to your worries about costs in an open implementation) is to have an open system, that also makes it easy to release an update to your game to use a different backend server, that way even if it goes down, get another one running.

[felselva]

This issue was discussed previously and in the forums:

https://github.com/itchio/itch.io/issues/500 https://itch.io/t/17579/scoreboard-and-achievements-api

@notnsane

I can imagine making a game, connecting it to this API or server, then let it handle handshakes and/or achievements, which are then pulled by Steam, Uplay, itch.io and Google Play. One can dream, right?

If a game in the itch.io store is granted an unique application key, and an API to integrate with the player info (username, ip address, etc), that's very possible. It would make multiplayer online peer-to-peer games possible.

Brainstorming: For security matters, the itch app should monitor if any application is requesting the current logged user and it's address. If the game send a request, the application sends a response (that way, the player don't need to type the password, and the game will never know the password) To send a request to the itch app, there are two solutions here:

1. The game must use a network library to send a request to the localhost via the port XYZW (the port which the itch app listen). The request could be a string "GETUSERNAME".
2. Distribute a library that does the job above, and game developers should integrate that library to their game (pretty much what steam SDK is).

The above also works for all other matters (achievement, scoreboards, handshake, lobby, etc). The (1.) is good because it would provide support to any target (platform AND language). The second would probably make things cleaner to the game developer, but would limit the gamedev target audience (bindings for the library would be needed).

Seems like what @fasterthanlime said about the manifest (https://itch.io/docs/itch/integrating/manifest.html), but i'm not sure how that manifest integrates (if it's possible) with a non web-browser.

[fasterthanlime]

but i'm not sure how that manifest integrates (if it's possible) with a non web-browser.

It passes a session key via an environment variable to the native executable.

You can then use that to make API requests directly to the itch.io server. It lets us:

• Grant API access to the game without leaking the password or app API key
• Track which game makes which API requests (but that's it)

[quyse]

We've discussed various APIs — for now, games that enable multi-player on itch just use the itch.io API for authentication / proof of purchase, sometimes with a manifest to enable seamless login from the app.

Additional APIs would build up on that. What did you have in mind in particular?

So, is there an official way to get proof of purchase on a multiplayer game server? The API key got by client (from env variable, using profile:me option in itch manifest) gives access only to https://itch.io/api/1/jwt/me, which returns only profile information, and doesn't allow calling any of the three itch serverside APIs (my-games, download-keys, purchases), so game server cannot recognize even whether this key is from launching the particular game.

Maybe add new scope option in manifest, smth like trusted-server, and some new serverside API, which accepts client's key, game id and possibly some server's key (api key of app creator? or special app-specific key?), and returns user id, and whether the user owns the game. So trusted server could independently verify that the game is owned by user, for purposes of banning cheating/misbehaving users, not allowing to have multiple game sessions with a single account, etc.

[fasterthanlime]

So, is there an official way to get proof of purchase on a multiplayer game server? The API key got by client (from env variable, using profile:me option in itch manifest) gives access only to https://itch.io/api/1/jwt/me, which returns only profile information, and doesn't allow calling any of the three itch serverside APIs (my-games, download-keys, purchases), so game server cannot recognize even whether this key is from launching the particular game.

You use the JWT key to authenticate - get a trusted user_id.

You then use your own API key (as a developer, that you stored on our server) to query whether or not that user_id owns the game (via https://itch.io/api/1/KEY/game/GAME_ID/purchases?user_id=XXX)

[quyse]

@fasterthanlime Oh, I see, thanks! I missed that part somehow. So, it's ok to use client's JWT key to authenticate client from server? It's not bound to client's IP address/subnet, is it?

[fasterthanlime]

I missed that part somehow.

That must be because I only explained it in an e-mail to a particular game developer :) I should really write guides for these kinds of things.

So, it's ok to use client's JWT key to authenticate client from server? It's not bound to client's IP address/subnet, is it?

Yep! That's the way to do it. It's not bound to the IP, just to the user, which lets you know who they are.

[quyse]

@fasterthanlime Great, everything's clear so far, thanks again!

[quyse]

Currently https://itch.io/api/1/KEY/game/GAME_ID/download_keys returns error for admins of the game, which is understandable (indeed they don't have keys), but a bit confusing (they have access to the game after all). I'm working around that by whitelisting admins' user_ids manually in the game. Would be nice to have a way to handle admins' access transparently in a single API call. Anyway, it's quite a minor problem, other than that the APIs work fine for us!

[BoxFortGames]

@quyse I was able to get around the developer/admin not having a download key by manually generating a key for them to claim.

[rcorre]

I missed that part somehow.

That must be because I only explained it in an e-mail to a particular game developer :) I should really write guides for these kinds of things.

So, it's ok to use client's JWT key to authenticate client from server? It's not bound to client's IP address/subnet, is it?

Yep! That's the way to do it. It's not bound to the IP, just to the user, which lets you know who they are.

I was confused by the same thing. I wasn't sure if it was cool/safe to pass the JWT from the game to my server. It might be worth calling out this process more explicitly in the docs (though maybe its obvious to folks more familiar with JWT).

I'll also add that it would be awesome to have an open matchmaking/nat-traversal service, though the costs might be daunting (especially for relays, though I'm not sure how often those are needed vs just NAT-punching). Possibly it could be enabled for games that give a certain cut to itch, so their funding scales with use?

Achievements/ect. seem less important, as you should be able to set this up with a free-tier service like Heroku (I'm trying this now). Unfortunately you can't use Heroku for NAT-punching, as your app is behind a load balancer and doesn't get the original client port (at least as far as I can tell).

[mainrs]

You then use your own API key (as a developer, that you stored on our server) to query whether or not that user_id owns the game (via https://itch.io/api/1/KEY/game/GAME_ID/purchases?user_id=XXX)

So this only works for API keys that are bound to user accounts marked as developers for certain games? I, as an arbitrary user, cannot query the information for a game I do not own (in the sense of owning the project as a whole), am I right?