Expose unique user IDs to Udon
Merlin
Now that web connectivity will likely require some form of consent from the user when using Udon, I think it's a reasonable request to ask for an actual unique user ID that we can use to identify users. This could be used to do things like enable a debug console in the world, or when web connectivity is back, save progress or settings in a world.
Right now people are using display names as "unique" identifiers which isn't good and already has issues since it's a display name. One issue is https://vrchat.canny.io/vrchat-udon-closed-alpha-bugs/p/onplayerjoined-doesnt-get-full-displayname-for-steam-users
Another issue is that "special" characters like "." get replaced in the display name with lookalikes which breaks string comparisons.
Relying on display name to "uniquely" identify people will become more prevalent as time goes on and people make commonly used systems that depend on them. You should expose this sooner rather than later to avoid this issue.
The potential for abuse is obviously possible, but there's no reason to kneecap the systems and introduce potential issues by leaving only display names visible. Right now I can reasonably target people with just their display names, it's just possible that there will be some more people with the same name that get targeted. Worlds abusing names to harass people is something that should be reported on a world basis.
Log In
`Alex`
This seriously needs to be a thing, creating custom systems for worlds and only being able to use DisplayName is crazy when there is already a UUID available
Deantwo
This is just a guess. But one of the reasons we don't have access to user IDs, might be because VRChat thinks it will limit the chance of people making blacklists.
PS: Why is this document so hard to find? I could not find it before I knew it existed.
HcgRandon
Merlin Since you are internal now, can you campaign for this?
Litе
Support, no clue why this isn’t already a thing.
Deantwo
I don't understand why the unique user ID isn't exposed to Udon. The unique user ID isn't secret, I can easily use the VRChat website to get the unique user ID from the URL of any player I want.
Has VRChat devs given a reason for it not being available?
owlboy
It seems weird everyone has been telling me I can just match usernames now and there is no need for "locks." But if people can just spoof it...
GotoFinal
Well, if team want more privacy they could generate new udon id per player with no public API to query user by udon id. Ofc some people will probably start sooner or later collecting them and making a mapping, but world creators just need some kind of id.
indominablerexx
Or, they could generate a new ID that's persistent, but only persistent on one world, and different on other worlds. That way you can't build a list and make a mapping, but you can still make data persistent and save information for a user who revisits your world
Merlin
indominablerexx: That'd make it difficult to manage if you have multiple worlds that you want to check your user ID. And now if you have a test ID of the map to upload and a live ID, you need to remember to update your user ID's between every upload. So it's shoving another VRC-ism onto map makers for no reason.
I don't personally see any issue with exposing the actual user ID per user considering that for the purposes of data collection, the display name we have access to is effectively already "unique" enough to get useful information from. If VRC wanted to actually mitigate that, they should make display names non-unique and go with Goto's solution.
Not that it's really an issue anyways, it's up to the authors of the worlds to comply with data protection and I specifically made this canny because VRC is going to put in some way to restrict web access from the user's view. Discord bots watch all messages from hundreds of thousands of people daily and no one bats an eye.
indominablerexx
Merlin: I don't see any reason not to expose real user ID's either. It'd be preferable to anything else, plus, people can abuse anything, but you have to draw a line somewhere between what is acceptable to expose and not. The real question is not so much can it be abused, but rather, is it a security risk. I firmly believe it isn't. As far as abuse, there's tools and reporting features for that anyways.
"Not that it's really an issue anyways, it's up to the authors of the worlds to comply with data protection"
Absolutely!