Client Credential and Client Policy Management

Managing client credentials within the EOS environment.

A client is any program accessing Epic Online Services (EOS) functionality for a product, including the local build of a game run by end-users on their systems, dedicated servers run by the product's owners, or any other program needing visibility to backend services.

EOS uses OAuth Client Credentials to authorize access to these services. When created, each EOS client is automatically assigned a Client ID and a Client Secret (password) that you must use for authentication. This information is passed in the EOS_Platform_ClientCredentials structure as a parameter of EOS_Platform_Create so the SDK can recognize the program as a valid EOS client, authorize it, and grant it access to the features determined by its client policy.

Clients created before the introduction of Client Policies are automatically associated with a Client Policy matching the client's originally-assigned role and marked with the label Legacy.

We encourage you to review your use of Client Policies. If your game is not running dedicated servers, but allows clients to host peer-to-peer matches, consider updating your policy to the new Peer2Peer policy or an appropriate custom policy.

Client policies are crucial in securing your game against unauthorized activity. You can view and manage your clients and client policies by navigating to the Product Settings for your product and selecting the Clients tab.

Clients

Untrusted clients are typically publicly-released applications, such as the product client itself. Servers released to be run by the community or peer-to-peer product acting as product servers should not be treated as trusted clients. Developers cannot assume all players run untampered versions of your released code when connecting to services with that policy.

Trusted clients are under the developer's control, such as dedicated servers in your datacenter, and are not released publicly. A trusted client can have more permissions because you can assume it is not modified and is running only on your environment.

Adding New Clients

You can add a new EOS client by clicking New Client. This opens a New Client modal for you to fill in details about the client.

A client must be associated with a Client Policy. You can associate a single Client Policy with multiple Clients. You cannot save a client if you do not associate it with a Client Policy.

Policies

Before creating a new client, you must have a client policy with the necessary permissions for that client. If needed, a client policy can be created when creating a new client or by scrolling down to the Client Policies section and clicking Add New Client Policy. Multiple clients can associate with a single client policy.

For example, if a client is using a dedicated server, you can select the TrustedServer type. This determines a set of permissions suitable for a trusted backend.

You can also configure Custom Client Policies to select the individual actions allowed.

The User required condition enables you to require a user to login to execute actions with a specific policy. For example, you must select User required to use the functionality of Lobbies or Player Data Storage.

Default Policy Types

GameClient

  • Policy for untrusted client applications

  • Requires an authenticated user

GameClient with UnlockAchievements

  • Like GameClient, but allows the client to unlock player achievements

  • Requires an authenticated user

Peer2Peer

  • Policy for untrusted client applications that want to host multiplayer matches

  • Requires an authenticated user

TrustedServer

  • Policy for dedicated servers or trusted applications

  • Includes the ability to create matchmaking sessions and ingest stats on behalf of players

  • Does not require an authenticated user

Custom

  • Creates a new policy that allows a customized set of actions for each service

Client Policy Permission Evaluation

All requests are denied by default. Only actions that are added in the Client Policy are allowed.

Error Handling

When troubleshooting any errors, be sure to check the logs for more details about your issue first.

For SDK versions 1.10 and older, any errors with this service return as EOS_Unexpected_Error.

For SDK versions after 1.10, the following table lists potentials errors:

Error

Description

Resolution

EOS_NotConfigured

The client permission is not set up for this call.

Go to the Developer Portal and configure a policy for this client.

EOS_AcessDenied

The client permission is set up for this call, but the call fails a check (e.g. you used a correctly set-up client, but tried to access another user's private player data storage).

Check the logs for more details about your issue and contact support.

EOS_InvalidAuth

The client is configured to require a signed-in user, but the client's credentials are not allowed.

Check the logs for more details about your issue and contact support.

EOS_AccessDenied

The client policy forbids this client from calling. It is likely that the Developer Portal is configured to not allow your client access to the call.

Go to the Developer Portal and modify the client configuration. Or make a new policy that allows the given permission.