Players are able to modify their currency and inventory

I am new to using Unity Gaming Services and realized that players are able to modify their own balance and inventory using the REST API.

If I didn’t get it wrong, they can obtain their access token when logging in, then call the REST API endpoints like POST{projectId}/players/{playerId}/currencies/{currencyId} to change their balances.

I am very confused and don’t understand the meaning of this service anymore. Why can the players modify their own balances?

1 Like

I don’t know, but shouldn’t you validate this on the server with cloud code? This seems something that should be done with that.

You can control if these operations can be called from the client by using Access Control.
By enabling custom rules, you can ensure economy can only be called through cloud-code or your own backend.

More information can be seen here:
This is so we can give developers full control over the security model for their game.

Let me know if you have any questions.

1 Like

@erickb_unity Hi, where I can read about restricting access to economy API to allow only my backend to call it?
I’m looking for a proxy scenario, where my backend is intermediary between client and the UGS Economy.


You’ll want to look at Access Control to block the player access and service account authentication to call the economy from your backend.

Access Control:

Example of project policy to fully block economy from Player write operations:
“Sid”: “deny-all-economy-access”,
“Effect”: “Deny”,
“Action”: [“"],
“Principal”: “Player”,
“Resource”: "urn:ugs:economy:


Service Account Authentication:

You’ll need to exchange your service account credentials for a stateless token before using it with the Economy api from your backend using this api: Unity Services Web API docs

Let me know if you have any more questions