Webhook Authentication

Once you’ve created a Web World, you can configure authentication providers to control access.

To enable auth webhooks, in the MSquared Dashboard, go to Projects > [Your Project] > Web World Instances > [Your World] and navigate to Auth Configuration.

Here you can enable or disable anonymous access. If using authentication, you’ll likely want to disable it - otherwise both anonymous and authenticated users can access your world.

To use webhook auth to connect to a world, pass a token as a query parameter in the URL. For example (replace TOKEN):

https://example-project-id_example-world-id.mml.world?token=TOKEN

During connection, the Webhook URL is called with the token as a query parameter—your backend must validate it. For example:

https://example.com/api/my-auth-endpoint?token=PASSED_THROUGH_TOKEN

If the webhook responds with anything other than a 200 status then the user's connection will be rejected.

The body of the response must also contain the user connection details matching one of the following schemas:

{
    username: string,
    characterDescription:   
      | {
          meshFileUrl: string;
          mmlCharacterString?: null;
          mmlCharacterUrl?: null;
        }
      | {
          meshFileUrl?: null;
          mmlCharacterString: string;
          mmlCharacterUrl?: null;
        }
      | {
          meshFileUrl?: null;
          mmlCharacterString?: null;
          mmlCharacterUrl: string;
        };
}

The properties are:

• username - the user's name to appear as in world.

• characterDescription.meshFileUrl - a publicly accessible URL for downloading a mesh.

• characterDescription.mmlCharacterString - a valid <m-character>.

• characterDescription.mmlCharacterUrl - a publicly accessible url for downloading an mml character.

The quickest way to get started is using characterDescription.mmlCharacterUrl and setting it to the processed mmlUrl result of an MSquared Avatar upload.