> ## Documentation Index
> Fetch the complete documentation index at: https://docs.leaderos.net/llms.txt
> Use this file to discover all available pages before exploring further.

# LeaderOS Auth

> Provides in-game login/register operations via the LeaderOS API

## Download

[https://www.spigotmc.org/resources/leaderos-auth.127863/](https://www.spigotmc.org/resources/leaderos-auth.127863/)

## Source Code

[https://github.com/leaderos-net/minecraft-leaderos-auth](https://github.com/leaderos-net/minecraft-leaderos-auth)

## Features

* Enables in-game login/register operations directly via the LeaderOS API.
* Works without a database connection. If you are experiencing database connectivity issues, this plugin is the perfect solution.
* Seamless integration with LeaderOS.
* Compatible with Velocity, Bungeecord, and Spigot/Paper.
* Provides secure and stable authentication.
* A modern alternative to AuthMe and LimboAuth.

## Installation Summary

**If you are using Velocity, install only the Velocity JAR.**

* Fill in the `url` and `api-key` fields in `config.yml`.

**If you are using Bungeecord, install both the Bungeecord JAR and the Spigot/Paper JAR.**

* Install the Spigot/Paper JAR on your Auth/Lobby server.
* Fill in the `auth-server` field in the Bungeecord `config.yml`.
* Fill in the `url` and `api-key` fields in the Spigot/Paper `config.yml`.

**If you are not using any proxy system (Standalone), install only the Spigot/Paper JAR.**

* Fill in the `url` and `api-key` fields in `config.yml`.

**Important fields in config.yml:**

* You can set the `lang` value to `en` to enable English language support (or `tr` for Turkish).
* The `url` value must be your website's URL. Example: `https://myserver.com`
* The `api-key` is the key found on your website under **Dashboard > Settings > API**.

<Warning>
  If you are using Cloudflare, you must also perform the following step: [Unblocking API for sites using Cloudflare](/plugins/minecraft/leaderos-auth#unblocking-api-for-sites-using-cloudflare)
</Warning>

## Usage with Velocity

With the Velocity version, you can set up authentication without needing a dedicated "fake lobby" server. When a user joins, they are directed to a virtual Limbo server generated by the proxy for login/registration. Once authenticated, the player is redirected to the main server.

### Velocity Requirements

* Velocity 3.4 b520 or higher.
* LimboAPI 1.1.27.

### Installation for Velocity

1. Download the plugin and upload the **Velocity JAR** to your Velocity server's `plugins` folder.
2. Restart the Velocity server.
3. Once the server restarts, open `plugins/leaderosauth/config.yml`. Fill in the `url` and `api-key` fields:
   * `url`: Enter your website's URL. Example: `https://myserver.com`
   * `api-key`: Enter your website's API key. You can find this in **Dashboard > Settings > API**.
4. Restart the Velocity server again to complete the installation.

*Note: When using the Velocity method, you do not need to install the plugin on your Spigot/Paper servers. Installing the Velocity version is sufficient.*

## Usage with Bungeecord

The Bungeecord version is designed for security. It requires a Spigot/Paper server to handle the actual login/registration process; it does not work by installing it solely on Bungeecord. The purpose of this version is to prevent users from connecting to the lobby with an admin account and executing commands like `/server` before logging in.

<Warning>
  If you are using Bungeecord, you absolutely must use this plugin. Otherwise, malicious users could connect to your lobby with an admin username and use commands like /server to bypass authentication, potentially harming your server.
</Warning>

<Note>
  Using only the Bungeecord JAR is not enough. You must also install the plugin on a Spigot/Paper server (your auth lobby).
</Note>

### Installation for Bungeecord

1. Download the plugin and upload the **Bungeecord JAR** to your Bungeecord server's `plugins` folder.
2. Restart the Bungeecord server.
3. Once the server restarts, open `plugins/LeaderOS-Auth/config.yml` and set the `auth-server` field to the name of the Spigot/Paper server where auth will take place (e.g., `auth_lobby`).
4. Restart the Bungeecord server again.
5. Install the Spigot/Paper version of the plugin on the server designated for authentication. Details on this installation can be found in the section below.

## Usage with Spigot/Paper

You need to install this version on the server where players will log in. If you are using Bungeecord, you must install both this version (on the backend server) and the Bungeecord version (on the proxy).

### Installation for Spigot/Paper

1. Download the plugin and upload the **Spigot/Paper JAR** to your server.
2. Restart your server.
3. Once the server restarts, open `plugins/LeaderOS-Auth/config.yml`. Fill in the `url` and `api-key` fields:
   * `url`: Enter your website's URL. Example: `https://myserver.com`
   * `api-key`: Enter your website's API key. You can find this in **Dashboard > Settings > API**.
   * `send-after-auth`: If you want to redirect the player to a different server after a successful login/register, set this to `true` and specify the `server` name. Example: `lobby`

## config.yml

### Velocity

```yaml theme={null}
# Main settings
settings:
  # Plugin language (e.g., en, tr)
  lang: en
  # Your website URL
  url: https://myserver.com
  # You can get the API key from Dashboard > Settings > API
  api-key: 123456789abcdefghjklmnb
  # Debug mode
  # Available modes:
  # DISABLED: Disables debug messages
  # ENABLED: Shows all debug messages
  # ONLY_ERRORS: Shows only error messages
  debug-mode: ONLY_ERRORS
  # Should session system be enabled?
  # If enabled, players joining from the same IP won't be asked for a password again. Recommended: false.
  session: false
  # If the player is not registered on the site, they cannot join. Enable this if you only want registration via the website.
  kick-non-registered: false
  # Kick player if they enter the wrong password.
  kick-on-wrong-password: true
  # Kick player if they haven't logged in within 60 seconds.
  auth-timeout: 60
  # Cooldown in seconds for commands like /login and /register
  command-cooldown: 3
  # Minimum allowed password length (can be set to 4 or higher).
  min-password-length: 5
  # List of commands that will be used to log in
  login-commands:
  - login
  - log
  - l
  - giris
  - giriş
  # List of commands that will be used to register
  register-commands:
  - register
  - reg
  - kayit
  - kayıt
  # Disallowed passwords. Simple and easily guessable passwords should be added here.
  unsafe-passwords:
  - '123456'
  - password
  - qwerty
  - '123456789'
  - help
  - sifre
  - '12345'
  - asd123
  - qwe123
```

### Bungeecord

```yaml theme={null}
# Main settings
settings:
  # Debug mode
  # Available modes:
  # DISABLED: Disables debug messages
  # ENABLED: Shows all debug messages
  # ONLY_ERRORS: Shows only error messages
  debug-mode: ONLY_ERRORS
  # Enter the name of the server where login/register operations will take place.
  auth-server: auth_lobby
  # Which commands are whitelisted during the login/register phase?
  allowed-commands:
  - login
  - log
  - l
  - giris
  - giriş
  - register
  - reg
  - kaydol
  - kayit
  - kayıt
```

### Spigot/Paper

```yaml theme={null}
# Main settings
settings:
  # Plugin language
  lang: en
  # Your website URL
  url: https://myserver.com
  # You can get the API key from Dashboard > Settings > API
  api-key: 123456789abcdefghjklmnb
  # Debug mode
  # Available modes:
  # DISABLED: Disables debug messages
  # ENABLED: Shows all debug messages
  # ONLY_ERRORS: Shows only error messages
  debug-mode: ONLY_ERRORS
  # Should session system be enabled?
  # If enabled, players joining from the same IP won't be asked for a password again. Recommended: false.
  session: false
  # Forces the player into survival mode upon joining.
  force-survival-mode: true
  # If the player is not registered on the site, they cannot join. Enable this if you only want registration via the website.
  kick-non-registered: false
  # Kick player if they enter the wrong password.
  kick-on-wrong-password: true
  # Kick player if they haven't logged in within 60 seconds.
  auth-timeout: 60
  # Cooldown in seconds for commands like /login and /register
  command-cooldown: 3
  # Minimum allowed password length (can be set to 4 or higher).
  min-password-length: 5
  # If enabled, the player is sent to another server after successful login/registration.
  send-after-auth:
    # Set to true to enable.
    enabled: true
    # If enabled: true, the player is sent to this server after auth.
    server: lobby
  # Which commands are whitelisted during the login/register phase?
  allowed-commands:
  - login
  - log
  - l
  - giris
  - giriş
  - register
  - reg
  - kaydol
  - kayit
  - kayıt
  # Disallowed passwords. Simple and easily guessable passwords should be added here.
  unsafe-passwords:
  - '123456'
  - password
  - qwerty
  - '123456789'
  - help
  - sifre
  - '12345'
  - asd123
  - qwe123
```

## Unblocking API for sites using Cloudflare

If you are using Cloudflare, it may block your API system and prevent player logins. In this case, follow the steps below to whitelist the API system in Cloudflare:

1. Log in to your Cloudflare dashboard.
2. Navigate to Cloudflare > Security > Security Rules (WAF) > Create Rule > Custom Rules.
3. Create a rule that matches the configuration shown in the image below.
   <img src="https://mintcdn.com/leaderos/uIkt9ENb_kzPauDW/images/plugins/cloudflare-api-whitelist.png?fit=max&auto=format&n=uIkt9ENb_kzPauDW&q=85&s=d77db843317a55a07ab12b462d1a1502" alt="Cloudflare Custom Role" width="1960" height="1948" data-path="images/plugins/cloudflare-api-whitelist.png" />
