Does runtime.http_key if put in the client app allow to make admin-only requests?

Hi! I was wondering if runtime.http_key may be put in the client app and how should we authenticate admins when developing an additional admin panel for our (common for all of our games) go module. I was thinking about using the JS lib and allowing our go-rpc admin methods to be available for certain usernames only. Maybe there is a better solution around?

One another related question that arises is is there any anti-spam protection for account registrations or any other abuse protection built-in? Or should we implement it ourselves?

Hi, it’s not advisable to expose the HTTP key directly in a client app due to security reasons as it could easily get compromised. A safer practice is to host it on the server and proxy it along the request to your admin server-to-server Nakama RPCs that would provide your custom functionality.

The Console Authenticate API has rate limiting on login attempts, and will lockout accounts that exceed the max number of attempts for a certain period.