-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration
Welcome to the AuthCore configuration bible! This file controls the brains, brawn, and paranoia levels of your server's login system.
Whether you want a casual SMP where friends can join easily, or a digital fortress that requires a retinal scan (metaphorically speaking), this is where you make it happen.
โ ๏ธ Note: This configuration file usually generates asconfig/authcore/settings.confor similar in your config folder. Always restart your server OR (/authcore reload) after making changes!
- General & Debugging
- Session Settings
- Password Security Policy
- Database Connection
- Lobby & Limbo Restrictions
- Command Permissions
Basic housekeeping settings.
| Config Option | Short Name | Description & Humor | Default | Recommendation |
|---|---|---|---|---|
version |
The "Do Not Touch" | Internal versioning for migrations. Scenario: You change this manually. Result: The plugin breaks, and the developer cries. | "1.0.0" |
Do NOT edit. |
debug-mode |
Spam Console | Enables verbose logging. Great for fixing bugs, terrible for reading your console. Scenario: Players can't login and you don't know why -> Set to true. |
false |
false (unless troubleshooting) |
This section controls the flow of logging in, staying logged in, and getting kicked out.
Found under session.authentication.
-
max-login-attempts- Short Name: Fat Finger Limit
- Description: How many times a player can fail their password before gettings kicked.
-
Default:
8 -
Scenario: Set to
3if you want to punish typos severely.
-
allow-bedrock-players- Short Name: Geyser Gate
- Description: Allows Bedrock/Floodgate formatting.
-
Default:
false - Scenario: Enable this if you use GeyserMC.
-
look-up-by-username- Short Name: Unique Names Only
- Description: If true, allows unique usernames only. If false, supports multiple UUIDs for the same name (weird, but okay).
-
Default:
false
-
premium-auto-login- Short Name: The VIP Pass
- Description: Skips auth for legitimate Mojang accounts.
-
Default:
true -
Recommendation: Keep
truefor Hybrid servers. It saves premium players a headache.
-
premium-auto-register- Short Name: Ghost Registration
- Description: Generates a random password for premium users so they are registered in the backend automatically.
-
Default:
true
-
allow-proxy-users- Short Name: VPN Blocker
- Description: Allow connections from known proxies/VPNs.
-
Default:
false -
Scenario: Keep
falseto stop bot attacks from cheap proxies.
-
offline-mode-by-default- Short Name: Guilty Until Proven Innocent
- Description: Treats unknown usernames as offline-mode players requiring login.
-
Default:
false
-
register-password-confirmation- Short Name: The Double Typo Check
- Description: Forces users to type password twice during register.
-
Default:
true
-
allow-login-after-registration- Short Name: Instant Entry
- Description: Logs them in immediately after registering.
-
Default:
true
-
allow-cracked-premium-names- Short Name: Identity Theft
- Description: Allows offline-mode launchers to use the names of paid accounts.
-
Default:
false - Recommendation: FALSE. Prevents people from stealing admin usernames.
-
block-duplicate-register/block-duplicate-session- Short Name: Clone Wars
- Description: Prevents the same account from registering/logging in from multiple places at once.
-
Default:
true
Found under session.
-
timeout-ms- Short Name: Session Lifespan
- Description: How long they stay logged in without typing their password again (in ms).
-
Default:
3600000(1 Hour)
-
cooldown-after-kick-ms- Short Name: The Sin Bin
- Description: How long they must wait to rejoin after failing login too many times.
-
Default:
120000(2 mins)
-
skip-combat-detection- Short Name: Combat Log Pass
- Description: If true, unauthorized players can disconnect without triggering combat logging plugins.
-
Default:
false
-
combat-timeout- Short Name: Battle Timer
- Description: Duration a player is considered "in combat".
-
Default:
3000(3s)
-
message-reminder-interval-ms- Short Name: The Nagging Timer
- Description: How often the server yells "PLEASE LOG IN" at the player.
-
Default:
8000(8s)
-
enable-sessions- Short Name: Remember Me
- Description: Persists login across disconnects.
-
Default:
true
-
kick-after-session-timeout- Short Name: The Boot
- Description: Kicks the player instantly when their session expires while playing.
-
Default:
false -
Scenario: Set to
falseunless you enjoy annoying your player base.
-
session-from-same-i-p-only- Short Name: IP Lock
- Description: Sessions are only valid if the IP matches. Prevents session hijacking.
-
Default:
true - Recommendation: Always True.
Define how annoying (safe) a password must be. Found under password-rules.
Each rule (upper-case, lower-case, digits) has:
-
enabled: Turn it on/off. -
min: Minimum required. -
max: Maximum allowed (to prevent 500-character essays).
| Rule | Default Min | Description |
|---|---|---|
| Upper Case | 1 |
Forces at least one CAPITAL letter. |
| Lower Case | 3 |
Forces at least three tiny letters. |
| Digits | 4 |
Forces numbers. "Password1234" is unoriginal, but valid. |
| Length | 8 |
Minimum total characters. |
-
allow-reuse- Short Name: History Check
- Description: Can they use their old password?
-
Default:
false(Make them be creative).
-
password-hash-algorithm- Short Name: The Math Stuff
- Description: How we scramble the passwords in the database.
-
Options:
argon2,bcrypt,scrypt,pbkdf2,sha-512. -
Default:
argon2 - Recommendation: Stick to Argon2. It eats GPUs for breakfast. MD5 is effectively illegal in 2026.
Where the secrets live.
-
sqlite:"authCore-db.sqlite" - Short Name: The Easy Way
- Description: A flat file. No setup needed. Best for small SMPs or lazy admins.
Use this if you run a network or have 500+ players.
-
enabled: Set totrueto activate. -
Config:
host,port(usually 3306),database,username,password. -
ssl:false. (Turn on if your DB is on a different continent).
What can unauthenticated players ("The Unclean") actually do? Spoiler: Nothing.
-
limbo-config.enabled:true. Teleports them to a holding cell. -
limbo-config.location: Coordinates (x, y, z) and dimension (e.g.,minecraft:overworld) where they wait. -
timeout: Dynamic timeout based on ping.- Feature: Gives players with bad internet (Lag lords) more time to type their password.
- Default: 60s base, scales up to 5 minutes for 600ms+ ping.
Found under lobby. Most of these default to false (meaning the action is forbidden).
| Feature | Default | Description |
|---|---|---|
max-lobby-users |
50 |
Caps the amount of un-logged-in players. |
safe-operators |
true |
CRITICAL. Removes OP status until you login. Prevents hacked clients from nuking the server instantly. |
allow-chat |
false |
Prevents spam bots. |
allow-commands |
false |
Prevents /op MeHacker123. |
whitelisted-commands |
[login, register,account] |
The only commands allowed. |
allow-movement |
false |
Freezes them in place. |
invisible-unauthorized |
true |
Ghost Mode. Unauthed players can't see each other. |
apply-blindness-effect |
true |
Darkness. Makes them focus on the chat to login. |
force-adventure-mode |
true |
No breaking blocks. |
Interaction Flags (All Default false):
-
block-breaking,block-interaction,item-drop,item-pickup,attacking-player,attacking-mobs. - Essentially: If it involves clicking a mouse button, it's disabled.
Controls who can run what. Supports LuckPerms (Recommended) and Vanilla OP levels.
Default Level: 0 (Everyone)
| Command | LuckPerms Node | Description |
|---|---|---|
/login |
authcore.user.login |
The magic word. |
/logout |
authcore.user.logout |
Rage quitting safely. |
/register |
authcore.user.load |
Creating an account. |
/unregister |
authcore.user.unregister |
Deleting your own account. |
/changepassword |
authcore.user.changepassword |
"New year, new me, new password." |
Default Level: 3 (Admins/OPs)
| Command | LuckPerms Node | Description |
|---|---|---|
reload |
authcore.admin.reload |
Refreshes config. |
delete player |
authcore.admin.deleteplayer |
Yeets a player from the DB. |
list players |
authcore.admin.listPlayers |
Shows who has joined. |
destroy-session |
authcore.admin.destroyPlayerSession |
Forces a player to re-login right now. |
set-password |
authcore.admin.setPlayerPassword |
"I forgot my password admin pls help." |
whois |
authcore.admin.whoisUsername |
Doxxing... legally. Shows IP/UUID info. |
set-offline/online |
authcore.admin.set... |
Manually toggles a player's premium status. |
set-spawn |
authcore.admin.setSpawnLocation |
Sets the limbo jail location. |
Wiki generated for AuthCore v1.0.0. If you break your config, don't say we didn't warn you. ๐คก