Any way to block users from connecting?
Encountered a very determined hacker for our game today, who spoofed a bunch of API calls to avoid our existing moderation/banning systems. I'm realizing that since hackers can spoof any API calls to evade detection, the only real place we need to block them is on the Normcore server, to prevent them from connecting to any room to begin with.
Will there ever be the ability to set up custom logic on the Normcore side? Separately, would love to know if anyone's been able to get Meta to help revoke entitlements lol.. I can block by hardcoding Meta User IDs (assuming these are difficult to spoof client-side from the Meta SDK?), but it's kind of a pain to push builds for something like this.
10 Replies
Hi @kyle. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Yes, there are ways to block users from connecting at the Normcore server level, especially if you are using Normcore Private (either Cloud or On-Premises). Normcore Private supports a Webhooks API that allows you to implement custom authentication and entitlement logic on the server side. This means you can block users before they ever connect to a room, based on any criteria you define (such as user IDs, entitlements, or other context).
When a client attempts to connect, the matcher service sends a POST request to your webhook endpoint with details about the connection attempt (including appKey, roomName, and an optional context string). Your webhook can then approve or deny the connection. If you deny the request, you can provide a human-readable error message and additional context for your application. This is the recommended way to enforce bans or custom access logic at the server level, and it does not require pushing new builds—just updating your backend logic or ban list as needed. For more details and example request/response formats, see the Webhooks documentation.
Regarding Meta entitlements: The knowledge sources do not provide information about Meta's process for revoking entitlements or how effective it is to block by Meta User ID. However, if you can reliably obtain the Meta User ID and pass it as part of the context when connecting, you can use the webhook to block specific users without needing to push new builds.
In summary:
- Use Normcore Private's Webhooks API to block users at the server level, based on your own logic. - This approach is flexible and does not require client updates. - Blocking by Meta User ID is possible if you pass it to your webhook, but the knowledge sources do not cover Meta's support for entitlement revocation. If you are not using Normcore Private, this level of server-side control is not available in the public version at this time. If you need this feature, you may want to consider migrating to Normcore Private or reaching out to NormalVR for more information about your options. Webhooks
Normcore Private ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
- Use Normcore Private's Webhooks API to block users at the server level, based on your own logic. - This approach is flexible and does not require client updates. - Blocking by Meta User ID is possible if you pass it to your webhook, but the knowledge sources do not cover Meta's support for entitlement revocation. If you are not using Normcore Private, this level of server-side control is not available in the public version at this time. If you need this feature, you may want to consider migrating to Normcore Private or reaching out to NormalVR for more information about your options. Webhooks
Normcore Private ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
<@401595391549898754> Kapa.ai is still learning and improving, please let me know how I did by reacting below.
Ah is this only possible with Normcore private right now?
We have a webhook API on Normcore Private, but we plan to open it up on public later this year. We also are going to ship an Oculus nonce check that will let you ban IDs in a way that you can’t fake
unfortunately, I don’t have a good solution for you today, other than to have your backend service generate UUID room names so they’re not guessable
then have your backend service use the oculus nonce check API to ensure the Oculus user ID is not spoofed and that the user isn’t banned from your game
got it, I'll look out for all that later this year! thanks
sure thing. if it becomes a real issue, DM me and I can ban them from Normcore entirely
Good to know, will be great to have the native solution since I was worried about this for the future
the latest normcore encrypts app keys which is the first step, but we have oculus nonce checking and an API to generate ephemeral API keys on the way
Oh awesome, yeah I remember seeing that it would have been fully possible to just rip the app keys out and was like "oh man that's not great" haha
God yeah I'm so thankful Normcore encrypts app keys
Should really be the bare minimum considering how much they can cost you