Currently, you can only publish to places using Open Cloud with an API key (not OAuth), and there is no way to create new universes with Open Cloud. This is extremely limiting for applications that need to manage experiences for users.
I currently use the API to create template games (like Quiz Centers) that interact with my external server for users who either do not have access to a computer to open Studio, or are not comfortable with opening Studio and publishing the experience themselves. With this automated flow, users can configure their game using a simple web configuration, removing the need for them to touch Studio at all. However, this is not possible with Open Cloud, which is making it difficult to migrate my code.
This is the current flow that is not possible with Open Cloud:
- Get all experiences that can be edited in a group
- Create a new experience with a specific name (if the user does not have an experience they want to overwrite)
- Overwrite the selected experience with a generated template experience
- Configure the experience using the web panel
The Instance APIs are not available with OAuth either. If we also had access to these APIs, we could automatically configure templates that are inserted into experiences as a model (as opposed to being a standalone game).
These APIs do have the potential for abuse (ex: automatically publishing experiences that break the TOS). However, new requirements have recently been implemented on who can publish experiences to mitigate this abuse. Furthermore, these bad actors are already using the undocumented endpoints to automatically create experiences, so adding OAuth support would not make it any easier for them.
There is also the potential for an abusive application to make unauthorized changes to experiences, or create a large number of experiences. To combat this, editing could be restricted to only selected experiences or any experience created by the application (similar to how Google Drive handles OAuth and editing files). Reasonable creation limits (like 10 experiences/user/day) would also limit attempts to spam a user’s inventory with a bunch of experiences.