I'm working on a Unity project that requires communication with a custom REST API built in Node.js with Express. My main concern is securing the API so that only my Unity game client can access it and prevent access from web browsers or other unauthorized clients.
My setup:
Unity game client.
Node.js + Express server.
Localhost during development, with plans to deploy the API.
API Keys: These can be exposed if extracted from the Unity client, so I’m not confident this will provide sufficient security.
JWTs (JSON Web Tokens): Seems like a viable option, but I’m unsure how to implement it in a way that would restrict access specifically to Unity clients.
Custom Headers or Tokens: Using a custom header unique to Unity, but again, not sure if this can effectively block browser access.
Posting this as an answer as I don't have enough rep to comment.
I use a User-Agent Custom Header with a secret string (something like User-Agent:MySecretAgentString). Your Unity Client could add this header to all outgoing API calls, and your Server could filter out those that don't have it.
That being said, as @derHugo pointed out, outgoing packets could still be intercepted and the User-Agent string could be read. I only use the User-Agent to broadly understand where calls are coming from, and respond with platform-appropriate data if necessary. A sturdier solution would be using some sort of authentication token that validates the Client itself.