I’ve heard many times about using API Keys for securing remote events and other scripts in game from exploiters, but I’m not really sure of what are those keys.
I understand that they are some short of numbers or words that have to match with the client and the server to work? Not really sure.
It would be very helpful If someone explains me what are those keys and how do they work.
Those aren’t API keys. Sometimes that method you describe is called “passwording” your remotes. This is known as security through obscurity. Which isn’t security in the first place. All you do is send the password over
remote:FireServer("something", "gFdrBdc")
then on the server side
remote.OnServerEvent:Connect(function(player, arg1, key)
if key ~= "gFdrBdc" then
return
end
-- continue with arg1
end)
but this is not secure at all, an exploiter can just use a remote spy and see the key, even if the key is dynamic they can just hookfunction on remote.FireServer to always pass over the key with no effort on their end to actually see how new keys are made
TL;DR don’t try securing the client try securing the server instead. You will never achieve 100% client security and nobody ever will, since it is their machine after all
A lot of people who are unfamiliar or naive with the security of client-server interactions will have unique strings or sequences which have to match in order for a communication to be accepted. The logic behind this is that the unique sequence must be kept private however this is a very unreliable assumption to make because what if it does get leaked? Or even figured out (there is a chance someone could guess it correctly, however small that chance is).
Generally when working in super secure environments, keys are not used without some form of calculation involved. You should look up end-to-end encryption (which is mathematically the only truly secure way of transmitting information between two nodes on a server) to see why keys are unreliable.
To increase reliability of client-server interactions you should refrain from transmitting any parameters through remotes wherever possible. I understand that sometimes it is essential to have some sort of algorithm run on the client which would need a parameter to run effectively, which is why I personally only transmit parameters to to the client, from the server and never the other way round.
Then, what are the API Keys?
Even If the client won’t never be totally secure, It’s recommended or useful to secure It?
An API key is a unique code for an API for identification purposes. Such as a Discord webhook link.
You can try but at the end exploiters can just bypass your client checks