I recently thought of this and was happy to see someone else suggested it. I have so many friends who do commissions / make models for friends who would love this. I'll write out my method for it that I already wrote in my own words:

Say my friend does a retexture for me, and I don't know how to use unity. They set up the project and all, but in order for the avatar to be uploaded onto my account, the only possible way (that I am aware of) is for them to actually log into my account and upload it for me, which can be super unsafe and is obviously never recommended.

An idea I had, while working on my friend's avatar, was that we have a code on vrchat.com that is essentially an upload token, a randomized integer / string, that can be plugged into the VRChat Builder in Unity, that points your upload to a person's account. The person would then, upon successful upload completion, have a notification / section on their vrchat.com account that shows their pending avatar upload, and they can confirm it or deny it depending on if they trust the user that pushed the upload.

Additionally, for further safety, in case your code gets hijacked and spammed, you can simply refresh the upload code, to keep it clean and safe.

I'm not super versed with how the internal systems of uploading an avatar work, but surely something like this would be possible? I feel it would be an incredibly appreciated service.

Rito, plz add

I think this is very important.

Users should be able to generate:

an alternative could be the transfer of the ownership of an avatar/world

This is a really important feature. Allow a temporary token for access to the account at bare minimum would allow people to upload avatars with ease and keep their account secure. Could even go farther to have a "whitelisted accounts" section, where you can allow certain accounts permission to upload avatars on your account (but not delete).

I think this is a good idea and should be revived in 2023.

I think this is a great idea, since a lot of users rely on others to customize their avatars. The people doing the customization work are well versed with Unity, but a regular user may not be, and the amount of time it takes to become well versed enough is a substantial barrier-to-entry. So those users either do without (and just go with free avatars from avatar worlds, which may not reflect their personal identity), or they have to give someone doing that for them their login credentials (a risk, and a violation of the TOS).

I think that this needs to be more fleshed out beyond a simple one-use/fixed duration token system. There needs to be the following enhancements to really make this worthwhile:

1) The ability to restrict who can use the token

2) The ability to restrict what can be done with the token

3) The ability to control how long the token is valid

4) The ability to revoke the token at any time

5) The ability to report abuse of the token

Before going in more details, I'll define a couple terms

Consumer - the account generating the token, which grants an upload privilege to their account.

Developer - The account consuming the token, ie the user who is uploading an avatar/world to the consumer's account.

1) The ability to restrict who can use the token -- you should have the ability to select a specific VRC user who can use the token -- the SDK should still require them to log in with their to perform the upload anyways, so this shouldn't be a problem.

2) The ability to restrict what can be done with the token. The basic idea is to upload an avatar (or a world*), but granting only the ability to upload a new asset is really limited. What if the consumer wants changes after it's been uploaded? Sure, the consumer can delete the avatar and have the developer upload a new one, but it would be better to be able to grant the authority to update an avatar (since they all have unique UUIDs) The consumer should have the option to choose between upload only, update (and specify an existing avatar associated with the consumer's account via its UUID), etc, as there won't be a one-size-fits all solution to this.

3) The ability to control how long the token is valid. The consumer may choose the grant the developer an unlimited time to make updates to the avatar/world associated with the token, if they trust the developer enough for that. Or they may want to place a number of uploads or a time limit. There should be an ability to extend the duration, or resume an token which became invalidated by exceeding the upload #/time limit.

4) The ability to revoke the token at any time. Once a job is done, the consumer may wish to end the token before the duration defined in #3 is over, simply because the job is done and no further access is needed. Of course, the consumer may wish to terminate the token for any other reason. This should be easy to do.

5) The ability to report abuse of the token. Abuses will always happen. This should be reportable, and there should be some kind incident management that is fair and equitable for both the consumer and developer (because this ability can be abused too.)

* - of course, the ability to upload worlds like this requires some thought on how culpability is shared between the consumer and developer, for TOS violations, DMCA violations, etc.

This is a great idea for avatar creators or even simple friends +1

I need this!

> My Proposal is to allow the client to generate a one time use access key to make uploads to their account. :)

That, or access control lists, such that a user can ask the creator for their VRChat username or email address, put their creator account into an access list entry to allow them to upload to one or more specific avatar(s) only.