Key Authentication (1.19+)
Minecraft 1.19 introduced a new security feature: cryptographic key-based authentication for player messages and chat. Gate provides configuration to control this behavior through theforceKeyAuthentication setting.
What is Key Authentication?
Starting in Minecraft 1.19, Mojang introduced a system where:- Each player has a cryptographic public/private key pair
- Chat messages are cryptographically signed by the player’s private key
- Servers can verify message authenticity using the player’s public key
- This prevents message tampering and impersonation
This feature is part of Mojang’s “Secure Chat” system designed to enable server-side moderation and ensure message authenticity.
Configuration
The key authentication setting is configured in yourconfig.yml:
Enabled (Recommended)
Gate defaults to
forceKeyAuthentication: true for security and compatibility.Behavior
When enabled:- ✅ Players must provide a valid cryptographic key during authentication
- ✅ Chat messages can be cryptographically verified
- ✅ Compatible with Mojang’s secure chat features
- ✅ Supports chat reporting and moderation features
- ✅ Follows Minecraft’s security standards
- ⚠️ Some modded clients may have issues
Benefits
- Message Authenticity: Verify messages haven’t been tampered with
- Player Verification: Ensure messages are from the claimed player
- Moderation Support: Enable Mojang’s server-side moderation features
- Future Compatibility: Prepared for future Minecraft security features
Disabled
Behavior
When disabled:- ⚠️ Players can connect without providing cryptographic keys
- ⚠️ Chat messages cannot be cryptographically verified
- ⚠️ Secure chat features are disabled
- ⚠️ Chat reporting may not function correctly
- ✅ Compatible with modded clients that don’t support key authentication
- ✅ No key verification overhead
When to Disable
Disable key authentication only when:- Modded Clients: Your community uses heavily modded clients that don’t support key authentication
- Custom Clients: Using custom authentication systems
- Privacy Concerns: Avoiding Mojang’s chat reporting system
- Legacy Support: Supporting older client modifications
Most legitimate Minecraft clients (vanilla, Forge, Fabric) fully support key authentication. Only disable if you have specific compatibility requirements.
Technical Details
Authentication Flow (Enabled)
- Player Login: Player connects to Gate
- Key Request: Gate requests player’s public key
- Key Provision: Client sends public key signed by Mojang
- Key Verification: Gate verifies key signature with Mojang’s API
- Session Establishment: Player authenticated with verified key
- Message Signing: All chat messages are cryptographically signed
Authentication Flow (Disabled)
- Player Login: Player connects to Gate
- Skip Key Request: Gate does not request public key
- Session Establishment: Player authenticated without key verification
- Unsigned Messages: Chat messages are not cryptographically signed
Security Implications
With Key Authentication (Enabled)
Strengths:- 🔒 Messages are cryptographically signed
- 🔒 Impersonation is cryptographically prevented
- 🔒 Message tampering is detectable
- 🔒 Supports Mojang’s moderation infrastructure
- ⚠️ Depends on Mojang’s key infrastructure
- ⚠️ May break some modded clients
- ⚠️ Enables Mojang’s chat reporting system
Without Key Authentication (Disabled)
Risks:- ⚠️ Messages can be forged by proxy/plugins
- ⚠️ No cryptographic verification of message origin
- ⚠️ Chat impersonation possible
- ⚠️ Incompatible with secure chat features
- ✅ Compatible with all clients
- ✅ No dependency on Mojang’s key servers
- ✅ Greater privacy (no chat reporting)
Chat Signing and Validation
How It Works
WhenforceKeyAuthentication: true:
Signature Structure
Each message includes:- Message Content: The actual chat text
- Timestamp: When the message was sent
- Salt: Random value to prevent replay attacks
- Signature: Cryptographic signature over the above
The signature ensures the message hasn’t been modified since the player sent it.
Compatibility
Client Compatibility
| Client Type | Supports Key Auth | Notes |
|---|---|---|
| Vanilla 1.19+ | ✅ Yes | Full support |
| Vanilla before 1.19 | ✅ Yes | No signing, but connects |
| Forge 1.19+ | ✅ Yes | Full support |
| Fabric 1.19+ | ✅ Yes | Full support |
| Modded (heavily) | ⚠️ Maybe | Depends on modifications |
| Custom clients | ⚠️ Maybe | Depends on implementation |
Server Compatibility
Backend servers must support key authentication:- Paper 1.19+: Full support ✅
- Spigot 1.19+: Full support ✅
- Vanilla 1.19+: Full support ✅
- Fabric 1.19+: Full support with mods ✅
- Modded servers: Depends on mods ⚠️
Chat Reporting
Key authentication enables Mojang’s controversial Player Chat Reporting feature:What is Chat Reporting?
- Players can report messages to Mojang
- Mojang’s moderation team reviews reports
- Violators can receive global bans
- Cryptographic signatures prove message authenticity
This is a controversial feature in the Minecraft community, as it allows Mojang to enforce moderation on private servers.
Disabling Chat Reporting
If you want to disable Mojang’s chat reporting: Option 1: Disable key authentication (not recommended)- No Chat Reports - Fabric/Forge mod
- FreedomChat - Spigot plugin
Using backend plugins allows you to keep
forceKeyAuthentication: true for security while disabling chat reporting features.Configuration Examples
Production Server (Recommended)
Privacy-Focused Server
Modded/Custom Client Server
Backend Server Configuration
Paper Servers
Paper respects Gate’s key authentication settings. No additional configuration needed. Optional: Enforce chat signatures Editconfig/paper-global.yml:
Spigot Servers
Spigot automatically handles key authentication based on Gate’s configuration.Vanilla Servers
Vanilla servers support key authentication by default: server.properties:Set
enforce-secure-profile=false to allow Gate to control key authentication.Troubleshooting
Players Can’t Connect (1.19+)
Symptoms: “Invalid signature for profile public key” or similar errors Causes:- Key authentication mismatch between Gate and backend
- Backend server enforcing secure profiles
- Client not providing valid keys
-
Verify Gate configuration:
-
Check backend server settings:
- Test with vanilla client to rule out modded client issues
Modded Clients Can’t Connect
Symptoms: Connection refused, authentication errors Cause: Modded client doesn’t support key authentication Solution: Disable key authenticationChat Messages Not Signed
Symptoms: Backend plugins report unsigned messages Causes:forceKeyAuthentication: falsein Gate- Player using client < 1.19
- Backend stripping signatures
-
Enable key authentication:
- Check backend configuration isn’t stripping signatures
- Verify client version is 1.19+
Chat Reporting Not Working
Symptoms: Players can’t report messages Causes:- Key authentication disabled
- Backend plugin blocking chat reports
- Invalid key signatures
-
Enable key authentication:
- Remove chat reporting blocking plugins (No Chat Reports, etc.)
- Verify player keys are valid
Best Practices
For Public Servers
Recommended: Enable key authentication
- Maximum security
- Full Minecraft feature support
- Message authenticity verification
For Modded Servers
Consider disabling if modded clients have issues
- Better mod compatibility
- Reduced security
- Manual moderation required
For Private Servers
Balance security and privacy needs
Version History
| Minecraft Version | Key Authentication Support |
|---|---|
| 1.19.0 | ✅ Introduced |
| 1.19.1+ | ✅ Required by default |
| 1.20.0+ | ✅ Enhanced security |
| Before 1.19 | ❌ Not supported |
Players on Minecraft versions before 1.19 can still connect; they simply won’t have their messages signed.
Related Topics
- Online Mode - Mojang authentication
- Forwarding Modes - Secure player info forwarding
- Security Best Practices - Comprehensive security guide