How can I disable or protect specific client API calls?


I saw there’s many built-in feature and APIs, such as chat, save/load data.
I would like to know if it’s possible to hook those API to custom Typescript code.
For example, some user send a chat message, our custom code intercept it, and do some custom validation to decide if it should be executed.

Furthermore, or can I disable all the built-in API for clients, and only open RPC custom API to clients?
The same example, some user send a custom RCP request to chat, do some custom validation, and if ok we call built-in chat API for him on servers.

Just wanna confirm how much access control is available?


Hello @joappdev,

You can use the before hooks Basics - Heroic Labs Documentation to achieve what you are describing with chat messages.

Server-to-server calls can be secured with the http key Basics - Heroic Labs Documentation.

You cannot disable the APIs (see @zyro’s response below), you should can use the before hooks to add custom logic to the authentication endpoints if you wish to have custom access control logic.

Hope this helps

Hi @sesposito

If I cannot disable the APIs by default, then a client may be able to abuse the built-in APIs like write objects.
Will it be a potential secure issue because all clients should be treated as untrusted ones?


Storage objects have access control so you can set ownership and restrict access Access controls - Heroic Labs Documentation.

Objects created via the REST API will always be owned by the authenticated user and you can set if other players have read access to his data by setting the read permissions accordingly.

@joappdev On top of the built-in controls that @sesposito mentioned you can also create an “API guard” pattern to disable APIs you don’t want clients to directly have access to.

Just register a before hook on the function call you wish to disable, and instead of returning the request input and letting the server continue processing just return nil - the server knows to handle this exact scenario as a disabled API call.

For example in this docs snippet you could return nil instead of return payload and the API call would not proceed.


We now have new documentation available which covers how to guard the API if you need to:

Guarding APIs - Heroic Labs Documentation

We’ll improve that documentation over time as well.

1 Like