Offer users the ability to create a login token or temporary password for Unity
๑Ҝɨʇɍɨ๑
With the update of TOS and the cracking down on sharing login information.
I propose the ability for users to offer a temporary login token or password, linked to the account, only accessed through Unity.
This gives you a secure way of sharing your credentials for a product you paid for the community of creators that make things for the game.
Log In
MarcellaVT
i kinda already posted about this years ago...
WubTheCaptain
This (or similar) has been previously requested several years ago:
- https://feedback.vrchat.com/feature-requests/p/vrcsdk-creator-companion-sso
- https://feedback.vrchat.com/feature-requests/p/please-implement-oauth-login-feature-to-vrcsdk
- https://feedback.vrchat.com/feature-requests/p/vrc-sdk-auth-key-avatar-building-to-other-accounts
- https://feedback.vrchat.com/feature-requests/p/avatar-sharing-via-upload-token-via-onetimelimited-time-account-locked-use
- https://feedback.vrchat.com/feature-requests/p/generating-a-token-to-upload-a-vr-chat-avatar-on-someone-elses-account-would-onl
- https://feedback.vrchat.com/feature-requests/p/avatar-upload-access-tokens
- https://feedback.vrchat.com/feature-requests/p/use-tokens-for-unity-login-instead-of-login-credentials
Somewhat related, and already tracked: https://feedback.vrchat.com/feature-requests/p/provide-an-authenticationauthorization-model-for-third-party-api-integrations
See also tupper's post from May 2025: https://ask.vrchat.com/t/a-proper-sso-oauth2-and-or-oidc-endpoint-public-vrchat-api/22909/31
Tiny_Nugget
100% mee eens ik wil mijn persoonlijke models niet voor andere vooral als ik veel geld betaal ook is dit niet goed voor avatar creators die commisies doen
VeilOfLunaria
this would be such a great idea fr, I understand vrchat for not thinking its a good idea to upload for others but they genuinely need to make it accessible to quest users , ppl who just dont know how to use unity and for those with pcs which cant run unity
․nebula․
This will HEAVILY impact the RP community and people that do model work commissions please upvote this!!! There are many ways to go about this besides fully removing sharing your account info!
Drazker
Big agree!
ZenithVal
I do hope we someday get a pipeline here for creators to upload for others in a community guideline compliant way.
I'd love to give someone a unique key that decides permissions like:
- Allowed to upload new avatars?
- Update existing avatars?
- Limit to specific IDs? (And which)
- Allow avatar deletion?
I feel like VRChat might already keeps previous versions of avatars for moderation purposes? If there was a website option for reverting to previous versions of avatars, this'd also prevent damage by a malicious actor with update permissions overwriting avatars.
WubTheCaptain
ZenithVal Before entertaining the idea of allowing creators to upload for others, let's consider the options. I'll also explain why these requested session tokens may be unintuitive for users, and not in the best interest of users for their account security or convenience in the big picture. The pipeline you're hoping (and what I imagine) would be an ambitious, epic task requiring large bodies of work broken down into multiple tasks to implement correctly and somewhat securely (assuming a shared responsibility model). There are also other tangential unsolved problems.
There are currently (at the time of writing this) two existing ways to share avatars with other users, which are user-intuitive and secure: The avatar marketplace, and public avatars. Neither requires any setup for the user, doesn't require sharing login sessions or information with third parties. Additionally, any updates to the avatar will be done by their uploaders with no interaction required to be taken by the user. This is generally a win-win for the average user who may be disinterested or unable to become or learn how to become a VRChat Creator or Unity user at this time, or an average user willing to manage and secure account/session token permissions.
The avatar marketplace also has some binding rules for the uploader, meaning a purchased avatar cannot substantially change to a different avatar once sold. Public avatars are at the mercy of their uploader (and their account status), of course.
I could entertain the idea of transferring private avatars between users, but that could also compete with the avatar marketplace (and not be in the best interest of Creators for user support or the VRChat platform for longetivity). Transferring "ownership" of a third-party marketplace / customized avatar to another user commonly has prohibitive license restrictions on transfers; this tangential social / legal factor may also coerce non-creator users to have others upload to the user's account instead.
WubTheCaptain
So let's return to entertaining the original proposal of allowing others to upload to your account, because some of you are going to inevitably do it anyway. How can you create an equally good user-friendly experience, which:
- Does not require full access to the user's account (security);
- Requires little to no setup for the user (user-intuitiveness);
- Allows account resources (e.g. avatars) to be managed (read and/or written) by third-parties (on behalf of the user), with user approval or without needing action from the user.
- (Optionally) Scales well to reduce the burden of VRChat Creators to support users with avatar management (to retain the status quo of officially supported methods).
Managing least privilege permissions for tokens may be notoriously difficult and not very intuitive to manage or setup from an average user.
Ideally, such tokens would be short-lived, e.g. 1 hour long (but configurable to be valid for up to 24 hours). I believe the session token by itself can't be entirely single-use, because an avatar upload to all platforms (Windows, Android, iOS) is three uploads (three version increments), so a short-lived token seems to be required. Plus, the session needs to make a bunch of GET calls to the API before uploading. You could argue "well, let's invalidate the session token after the uploads!" to have a single-use token, but this doesn't take into consideration of potential security implications of what that token can already do (and needs to do with multiple API calls), or how should errors in the upload process be handled for session tokens.
For the sake of argument, let's say we now need a short-lived token. Ideally, the session assumed by the token has least privilege permissions for the task.
- Who's going to manage the permissions for that token?
- What API actions are allowed with that token?
- Which principals (VRChat users) can use it (be trusted)?
- Which resources are that session allowed to access, or be denied to?
- Is your average user going to understand setting up and managing "IAM" (Identity and Access Management) roles and permissions?
WubTheCaptain
In theory, at this time anyone with the ability to create sessions may also be able to maliciously hit the user session limit with repeated session requests, which could lock the owner out of their account.
So how do you get an attacker out of your account, if they've gained malicious access to your token?
There's no way to currently for users to audit recent activity (sessions) or to invalidate them.
Changing a password also does not currently invalidate existing sessions?
- https://feedback.vrchat.com/website/p/fix-session-management
- https://feedback.vrchat.com/bug-reports/p/changing-password-does-not-invalidate-logins
At this time, using session tokens instead of usernames/passwords would not increase security much unless the tangential problems above are also solved.
I could also remind that session tokens inherently bypass multi-factor authentication, and open the plausibility of adversary-in-the-middle attacks (e.g. the session token is captured via phishing). There are ways to detect or mitigate AiTM, such as monitoring for multiple login sessions from the same token.
How about the scale of managing permissions and accommodating the needs of different users. You may have an user who wants a trusted friend to upload avatars and update them without interaction from the user, or without a short-lived token every hour; are you going to give them long-lived tokens that don't expire (not recommended), or setup a theoretical organization/group with delegated permissions (non-intuitive)? A VRChat Creator may not want to ask the user for a token every hour to update avatars for one or hundred users of that avatar.
If an user wants to approve the actions made by delegated third parties, that'd also be its own feature request.
Then, what if you have 100 avatars with 105 authorized uploaders, are you ready to manage permissions individually for all of them, or learn how to use Unity instead? (These are all ideas.)
I imagine avatar backups and restoration could be a paid option or a VRChat+ feature.
The existing VRChat Creator documentation caters to advanced users uploading avatars from scratch (Creating Your First Avatar), but not premade Unity packages.
P.S.: At least old revisions of worlds may exist.
WubTheCaptain
> Who's going to manage the permissions for that token?
To restrict actions, VRChat could add VRChat managed policies, which are permission sets that allow only specific actions to be taken. E.g. VRCFullAccess, or VRCAvatarsFullAccess. These are not (and won't ever be) least privilege permissions due to being managed for the general public, without an intuitive UI to allow/deny resources and principals. If the goal is to restrict principal use to a single authenticated user (e.g. your uploader's VRChat account) and a single resource, such customization would require the user to also write custom rules. It then also becomes a shared responsibility of the user to follow best practices to manage least privilege permissions for tokens, which may be something an user may not be willing to learn to do (and give full permissions instead). I argue this approach is not very user intuitive; the focus shifts from learning Unity to learning IAM roles/permissions (but can now be done on the website, instead of on a Windows computer with Unity).
ToolboxMotley
Huge agree. I don't mind walking my clients through uploading the avatars I build for them, but some are just so overwhelmed by the thought of messing with Unity that they insist I upload it for them instead. I would love to have this option available to my clients.
berryaxolotl˖·˚
Genuinely so many of us get paid through uploads, so to take that away (especially with the introduction of Marketplace and its 50% creator fee), it doesn't look good for the platform.
MechaDolly
I agree with this idea, I get commissioned semi-frequently for kitbashes using assets theyve paid for or assets I made from scratch myself and my customers often are not the tech savvy type, installing Unity and setting it up correctly is a hassle and often times they do not have the time, will or knowledge to set it up despite instructions and end up asking me for upload for them instead. Plus Unity absolutely demands you make an account in order to even get a personal license.
A temporary token would be great, as it is much more secure and still allows people who dont understand how to edit avatars, and do not have the time or capacity to learn Unity to have someone to do it for them. The marketplace is great but the customization only goes as far as what the maker configured in the avatar's toggles, sometimes people want very specific customs that you just cannot find in the marketplace, especially VTubers who have VERY specific designs.
If our ability to upload for others gets completely revoked, it would ruin what made VRChat what it is today, not everyone has the time to learn Unity, Blender, Substance painter or other related softwares just to make a custom avatar.
Load More
→