AuthCore is a high-performance, server-side login framework designed for large-scale Fabric 1.21+ environments. While other mods just check a password, AuthCore manages the entire lifecycle of a player's session, securing the server against bot attacks, griefing attempts during login, and session hijacking.
Ideal for: Massive SMPs, Public Community Servers, and Hybrid Networks demanding 20 TPS.
Designed for server owners who need absolute control. Here is how AuthCore’s configuration translates to real-world server benefits.
| ⚙️ Configuration / Features | 🚀 Benefits for Minecraft Server |
|---|---|
| Hermetic Limbo State (Blocks: Breaking, Placing, Item Use, Drops, Movement, Chat, Commands) |
Zero-Grief Lobby. Unauthenticated players are effectively ghosts. They cannot spam chat, ruin spawn, steal items, or generate chunk updates that lag the server. |
| Granular Entity Protection (Separately blocks attacks on: Players, Hostiles, Animals, Pets, Villagers) |
Spawn Integrity. Prevents malicious users from logging in just to kill the community pet or trade-lock villagers before they even authenticate. |
| Smart Session Management (IP Locking, Session Timeouts, Re-login Windows) |
Anti-Hijacking. If a player disconnects, their session is saved briefly for quick rejoins. However, if a different IP tries to join, the gate slams shut. Prevents session stealing. |
| Hybrid Authentication (Online-Mode Auto-Login & Offline-Mode Support) |
Frictionless UX. Paid Minecraft users ( online-mode) skip the password prompt entirely. Offline-Mode users are securely sandboxed. Best of both worlds. |
| Brute-Force Mitigation (Max Login Attempts, Kick Cooldowns, Proxy Blocking) |
DDoS/Bot Resilience. Automatically purges bad actors guessing passwords. Built-in Proxy/VPN checks reduce bot traffic without needing external firewalls. |
| UX-First Feedback (Titles, Subtitles, Action Bars, Chat - All Configurable) |
Professional Polish. Don't spam the chat box. Use clean Title Screens and Action Bars to guide users, keeping the chat clean for actual players. |
| Password Complexity Logic (Regex: Min Length, Upper/Lower, Digits) |
Security Compliance. Force your admins and VIPs to use real passwords, not "12345", reducing the risk of social engineering hacks. |
- Install Prerequisites: Grab Fabric Loader and Fabric API.
- Download: Get the latest
authcore-x.x.x.jarfrom Modrinth or GitHub Releases. - Install: Drop the
.jarinto your server'smods/folder. - Run: Start the server. The configuration file will generate at
config/authcore/settings.conf.
Basic commands available to everyone.
| Command | Usage | Description |
|---|---|---|
| Register | /register <password> [<confirm-password> <2fa-code>] <2fa-code> |
Create an identity. Confirmation required & 2fa Code if enabled in config. |
| Login | /login <password> |
Authenticate credentials and release the Limbo state. |
| Logout | /account logout |
Manually end session (force password on next join). |
| Change Pass | /account set-password <new-password> |
Update credentials securely. |
| Unregister | /account unregister |
Self-service account deletion (GDPR compliance). |
Requires OP or Permission Level 3+.
| Command | Usage | Description |
|---|---|---|
| Reload | /authcore reload |
Hot-swaps settings.conf and messages without a restart. |
| List Players | /authcore list players |
Lists all registered player usernames. |
| List Online | /authcore list online-players |
Lists all online-mode players. |
| List Offline | /authcore list offline-players |
Lists all offline-mode players. |
| Delete Player | /authcore delete player <player> |
Wipes player data from the DB. The "Nuclear Option". |
| Destroy Sess | /authcore destroy-session <player> |
Destroys a session and disconnects the user immediately. |
| WhoIs | /authcore whois <username> <uuid> <player> |
Displays UUID, IP, Reg Date, Last Login, and Auth Mode. |
| Set Password | /authcore set-password <player> <new-password> |
Administrative password reset. |
| Set Mode Online | /authcore set-mode online <player> |
Toggles specific users to Online-Mode validation. |
| Set Mode Offline | /authcore set-mode offline <player> <new-password> |
Toggles specific users to Offline-Mode validation. |
| Set Spawn | /authcore set-spawn limbo <x> <y> <z> |
Sets the precise X/Y/Z for the Limbo spawn. |
- Velocity / BungeeCord Plugin: A dedicated upstream plugin for network-wide auth handling.
- 2FA Support: Integration with TOTP apps (Google Auth) for User accounts. 📱
- Visual Captcha: Map-based or inventory-based CAPTCHA to stop advanced bots. 🤖
- Database SQL Support: MySQL/MariaDB/PostgreSQL support for syncing data across multiple backend servers. 🗄️
- Web Panel: A lightweight HTML interface for admins to manage users externally.
- Progressive Punishment: Exponential cooldowns (
5s->30s->5m) for failed password attempts.
Building from source (if you're brave):
- Requirements: Java 25+ & Gradle 8+
# Clone the repo
git clone [https://github.com/DawnOfDedSec/AuthCore.git](https://github.com/DawnOfDedSec/AuthCore.git)
cd AuthCore
# Build the jar
./gradlew buildContributions are welcome! To contribute:
- Fork the repository
- Create a new branch:
git checkout -b feature/your-feature-name - Make your changes and commit:
git commit -m 'Add new feature' - Push to your fork:
git push origin feature/your-feature-name - Open a pull request: https://github.com/DawnOfDedSec/AuthCore/pulls
Please follow the existing code style and include clear commit messages. For major changes, open an issue first to discuss what you’d like to change.
This project is licensed under the CC0 1.0 Universal (Public Domain). You are free to use, modify, and distribute this mod without any restrictions.
Found a bug or have a feature request?
Open an issue: https://github.com/DawnOfDedSec/AuthCore/issues
Start a discussion: https://github.com/DawnOfDedSec/AuthCore/discussions