# Webhook Authentication

{% hint style="info" %}
*Auth webhooks are not available on the free tier.*
{% endhint %}

Once you’ve created a Web World, you can configure authentication providers to control access.

To enable auth webhooks, in the MSquared Dashboard, go to **Projects > \[Your Project] > Web World Instances > \[Your World]** and navigate to **Auth Configuration**.

<figure><img src="https://2271315935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVBQO2iPnILMdx3kAONnG%2Fuploads%2Fp8Hbyg6GLf8BOKQZOyKM%2Fimage.png?alt=media&#x26;token=880d64dd-63bb-4740-982a-fe91de24cea8" alt=""><figcaption></figcaption></figure>

Here you can enable or disable anonymous access. If using authentication, you’ll likely want to disable it - otherwise both anonymous and authenticated users can access your world.

To use webhook auth to connect to a world, pass a token as a query parameter in the URL. For example (replace `TOKEN`):

```
https://example-project-id_example-world-id.mml.world?token=TOKEN
```

During connection, the Webhook URL is called with the token as a query parameter—your backend must validate it. For example:

```
https://example.com/api/my-auth-endpoint?token=PASSED_THROUGH_TOKEN
```

If the webhook responds with anything other than a `200` status then the user's connection will be rejected.

The body of the response must also contain the user connection details matching one of the following schemas:

```typescript
{
    username: string,
    characterDescription:   
      | {
          meshFileUrl: string;
          mmlCharacterString?: null;
          mmlCharacterUrl?: null;
        }
      | {
          meshFileUrl?: null;
          mmlCharacterString: string;
          mmlCharacterUrl?: null;
        }
      | {
          meshFileUrl?: null;
          mmlCharacterString?: null;
          mmlCharacterUrl: string;
        };
}
```

The properties are:

* `username`  - the user's name to appear as in world.
* `characterDescription.meshFileUrl`  - a publicly accessible URL for downloading a mesh.
* `characterDescription.mmlCharacterString`  - a valid [\<m-character>](https://mml.io/docs/reference/elements/m-character).
* `characterDescription.mmlCharacterUrl`  - a publicly accessible url for downloading an mml character.

The quickest way to get started is using `characterDescription.mmlCharacterUrl` and setting it to the processed `mmlUrl` result of an MSquared Avatar upload.

{% hint style="success" %}
See how to produce a `mmlUrl`  in the Avatars [Getting Started](https://docs.msquared.io/dash/avatars/getting-started) guide.
{% endhint %}