SilentWolf is a free plugin for Godot that streamlines setting up server-side features like leaderboards and player accounts. Provided by BrassHarpooner, this service has significant security and licensing issues.
Security Concerns:
To use SilentWolf, you need to set the API key and game ID in your game’s GDScript. For example:
SilentWolf.setup({
"api_key": "YOUR_API_KEY",
"game_id": "YOUR_GAME_ID",
"log_level": 1
})
The problem is that the API key allows actions like adding scores under any player name, wiping leaderboards, and modifying any player’s data, all from the client API. If your game is open source, the key can be easily found. Additionally, SilentWolf doesn’t use a secure connection, making it easier to intercept the key.
Licensing Issues:
While the SilentWolf plugin can be read and downloaded, it lacks a public repo and a clear license. According to SilentWolf’s terms of service, all code belongs to them, and you cannot modify or redistribute it without explicit permission.
Furthermore, SilentWolf’s backend is closed source and not self-hostable. This means that if BrassHarpooner stops supporting it, you’ll lose all your online features.
Alternatives:
Consider using these open-source solutions:
- W4Cloud: Auth, lobbies, matchmaking, and more, created by Godot founders.
- Talo: Simple and supports offline mode. I’m transitioning to this.
- Nakama: Comprehensive and community-supported.
- Quiver: Focused on Godot, offering leaderboards and analytics.
EDIT: Some users mentioned not storing API keys in repos. While important, even scoped keys like those used by Talo offer an extra security layer by only affecting the current player.
EDIT 2: Added context about SilentWolf authentication and W4Cloud.