How can i make Reward for 1 hour played

I don’t think this would be a good idea because exploiters can clone the gear, which is unfair. Moving it into the ServerStorage service will be a better option.

Exploiters cannot use the tool (if it’s server-sided), because the server-script can’t detect that it’s been cloned into the player’s backpack since exploits are client-sided.

And yes — tools should mainly be in ServerStorage regardless, that’s where they belong.

And everyone in the topic, using a data store that stores an integer and bool value is better to use because imagine the player was quitting the server without getting the reward. So they had had to wait again. Saving it won’t make the player wait for the reward.

Yes, but only if you want to reward players based on total time spent in the game.
OP was not asking for that, but it’s a good thing if they did mean that, though.

Also, you should attempt to save data if it fails (I also recommend UpdateAsync over SetAsync).

local Tries = 0
local Ok, Result

	Tries += 1
	Ok, Result = pcall(function()
		return Key:UpdateAsync(PlayerKey, function()
until Ok or Tries == 3 -- We don't want to spam requests to the datastore, but we'll attempt to save the data 3 times if it fails.
if not Ok then
	warn('Unable to save data!')
	print('Data has been successfully saved.')

Another thing: Do not use the parent argument of if you are setting properties afterwards, as that is slower. Set the parent after setting the properties.

This is true, but the server-side script won’t be responsible for this anymore. I didn’t understand what you meant by this below, exploiters can use the tool from the ReplicatedStorage service. Why is the script responsible for it?

What I’m saying is that it does not matter if the exploiter gets the tool as long as the tool is server-sided.

Because exploits run on the client-side, the server does not know that it has been parented into the player’s backpack.

Server-side: Nothing to see here, I'm still in ReplicatedStorage.
Client-side: Exploiter has parented me into their backpack.

That sounds easy enough to understand.
But, if the script responsible for the tool is client-sided then it is a problem, yes.
Hence: Always keep your tools in ServerStorage, or add extra security via a RemoteEvent to verify the change.

All the exploits couldn’t see by the server. And the reason I suggested you can move it into the ServerStorage is exploiters can’t clone the gear from it. Wherever you put the gear, the server couldn’t see if it cloned by the exploiters.

But it is always safer to put it inside ServerStorage than ReplicatedStorage. Imagine there weren’t players awarded with the gear. So exploiters wouldn’t have cloned it yet. This is the difference.

So exploiters wouldn’t have cloned it yet. This is the difference.

I have no idea what you mean by that, please elaborate as you said something completely different above.
ServerStorage is where you would mainly store your game-related objects, and it doesn’t replicate to the clients either, so no one has any clue how your game is set up.