# Authentication

### Client Authentication

The primary security for authenticating valid clients connecting to the replication server is accomplished via a shared secret.

The replication server is started with the `--secret` option and a host-generated secret token string. Eg.:\
`replication-server world -env prod --secret "ABCDEFG1234567" --schema "...."`

When the client connects they need to provide an authority token that contains the replication server secret in the `AuthToken` field of the `WorldData` or `RoomData` structure. This [JWT](https://www.jwt.io/introduction) token is generated with the following properties:

* Algorithm: HMAC SHA 256
* Secret: the same secret as used in the `--secret` option to launch the replication server
* Claims:
  * "sub": player ID string — any player identifier
  * "pid": project ID string — any project identifier
  * "type": `ConnectionType` as lower case string — client | simulator

{% hint style="warning" %}
The default "local-development" secret is rejected by the replication server when the environment is "prod" or "staging".
{% endhint %}

The best practice for providing the client an authentication token is to provide your own authentication service which generates the token on behalf of the client and provides the token to the client for connecting to the replication server. This way, the client never knows the secret and can not spoof access to a replication server as a simulator which might have elevated permissions when using [Advanced Simulator Authority](https://docs.coherence.io/manual/simulation-server/advanced-simulator-authority).

### Client as Host Authentication

In a [server authoritative setup](https://docs.coherence.io/manual/authority/server-authoritative-setup), you might want a client to act as a [host](https://docs.coherence.io/manual/authority/server-authoritative-setup#client-as-a-host) instead of requiring a simulator. In this specific case, the client needs to be authenticated as a host. In this very specific case, the `--room-secret` option is used with a secret string when launching the replication server in world mode. This string must match the `RoomSecret` field in the `WorldData` structure when connecting to the replication server via the client. In rooms mode the room secret is defined the the `Secret` parameter of the `/add` [API](https://docs.coherence.io/hosting/self-hosting/broken-reference) call and the same secret must match the `RoomSecret` field in `RoomData`.