Did you find this helpful?
API Feature Settings in the PlayFab Game Manager
The API features are a handful of options for managing behavior of PlayFab's API for your title. This gives you tools for managing access, privacy, and others. They can be seen in Game Manager, in Settings -> API Features
Some of these check-boxes are obvious, and some not so much. We go into detail about several of them here.
Several screenshots and demonstrations in this guide utilize Postman.
Require valid JSON for custom data values
Hacked clients can cause serious problems for games. Rogue API callers posting badly formatted data can produce noise, bugs, and issues for developers. Players who have poorly formatted data will often require manual intervention to cleanup. Requiring valid JSON for custom data values will perform basic content type validation before data is saved to the database. Catching these problems early prevents these issues from lingering on, and stops hackers from interfering with normal development.
When this flag is set, this forces clients to pass in valid JSON for each key of their custom data. Simple JSON validation by itself won't prevent all issues, but can help weed out some bad behavior. Checking this will require each key saved across all custom data, including Player, Publisher, Character, Title, and Item data must be valid JSON. This flag can be toggled on or off at any time. But, it’s not retroactive. That is, existing values will not be affected. Only newly written values will be checked.
If you attempt to pass invalid JSON on as a value, it will reject the request with a 400.
Disable all API request access
Surprisingly, it can be useful to disable all API access to your title. If, for example, you are performing a sensitive migration with downtime, stray API requests could cause serious interruptions. If you are retiring your game, this will guarantee your game really is off. Keep in mind, marking this checkbox will LITERALLY BREAK YOUR GAME, so use with caution.
Once you have decided you need to turn your API off, and you check this button, all API requests will begin to fail within a few minutes. PlayFab will return a 400 indicating the title has disabled such usage.
These 400 responses will persist until you uncheck the box. Again, unchecking may take a few minutes to have effect.
Enable player IP address obfuscation
For many studios, owning Personally Identifiable Information (PII) is a liability best avoided. One common, and useful, form of PII is IP address. IP address is useful for a handful of reasons, including geo-location. However, the full accuracy of the IP is often considered PII. So, PlayFab can help limit this is by obfuscating parts of the IP addresses. Now, by checking a box, you can stop gathering this sensitive data.
After you check this box, PlayFab will always record “0” for the last octet of their IP. You can verify this is working by checking login history for players in the Players tab. You should see that every IP ends in ".0". Note that any IPs we recorded before IP address obfuscation was enabled will retain their full detail. So if your game is PII sensitive, set this checkbox before you launch.
Be aware that enabling obfuscation will impact other features that use IP. In particular IP based geo-location and player banning by IP are the two most directly impacted. PlayFab automatically performs IP based geo-location on logins. This helps you automatically learn about where on earth your players come from. However, you may experience reduced accuracy, particularly at the city level, when using obfuscated IPs. This is intentional, as the goal of obfuscating IPs is to avoid recording PII, including exact locations.
Additionally, Obfuscating IPs can affect bans. When adding a ban, you can optionally ban an IP as well. Often banning by IP is more practical than banning one account at a time, because the bad actor can just make new accounts. Banning an IP prevents the bad actor from making new accounts from the same internet connection. In many cases, this is an effective tool. However, with obfuscated IPs, banning an exact IP cannot work. Instead, you must use a ban an ip with ".0" as the final octet.
However, keep in mind this will effectively ban an entire IP range. This will still ban the bad actor, but other innocent players with similar IP address may be affected. Furthermore, existing precise IP bans will cease to be effective.