In the past, authentication with a BYOND key was only possible if you used DMCGI to do it. There was simply no way to get the login details any other way. Some people have requested a new feature to allow any program to authenticate BYOND keys.

That feature might not be here, but I offer the next best thing: authentication using a mediator server (which is pretty much what the feature request suggests anyway, so I guess I did the work for them!).

Without further ado I would like to present:

The McKay-Carter Intergalactic Bridge dta_auth BYOND authentication system

Let's get on with the technical details, as I'm sure most of you are looking straight for it.

The following steps are taken to authenticate a user:

  1. The user arrives at
  2. At this point your script redirects the user to and passes along two variables:
    • A session id which is a variable only your server and the real client share. Upon receival this is immediately taken out of the loop to minimize the possibility of eavesdropping. In my example it is derived from the current time.
    • A return URL which is usually back to your script. In my example it will be
  3. The user is taken to where they can login..
  4. Once the user successfully logs in with a valid BYOND key they are redirected back to where the magic happens.
  5. My script redirects the user back to where you receive a certificate ID. You then pass this value back and confirm the validity of the certificate, after which the authentication is completed.

The security measures taken:

  1. A unique ID pinpoints the exact certificate that contains the authentication request.
  2. A session ID verifies that the certificate was indeed requested by your server.
  3. A hash is sent with the client to ensure that they have access to that certificate and to ensure other domains can't read your certificates.
  4. The BYOND key and ckey are both stored in the certificate and cross-referenced with what you receive to prevent spoofing of keys.
  5. You may optionally specify an IP address (or other unique means of verification) to verify that as well.
  6. Finally, the certificate is destroyed immediately after you've checked it to prevent it from being re-used in the future.

In addition to the above clients are expected to always log-in with a new set of credentials, so it's not possible for a client to re-use someone else's log-in on your site.

And now a code sample (because nobody on BYOND listens to you unless you post one!):

<?php session_start();

'You are logged in as ' $_SESSION['byond_key'] . '! <a href="login.php?logout=1">Logout</a>';
'You are NOT logged in. <a href="login.php">Login</a>';

<?php session_start();

//the URL that the mediator server should reroute the user to once authentication finishes goes here

$_SESSION['byond_key'])){ //we are not logged in
if(isset($_GET['id']) && isset($_GET['key']) && isset($_GET['ckey']) && isset($_GET['hash'])){
//looks like we received a response
$crl curl_init();
curl_setopt($crlCURLOPT_URL'' $_GET['id'] . '&sid=' $_SESSION['sid'] . '&hash=' $_GET['hash'] . '&ckey=' $_GET['ckey'] . '&key=' $_GET['key']);
$ret curl_exec($crl);
$ret == 0){
$_SESSION['byond_key'] = $_GET['key'];
header('Location: index.php');
'ERROR: Received return code ' $ret ' from the mediator server.';
//redirect the user to the mediator server
$_SESSION['sid'] = time();
header('Location:' $_SESSION['sid'] . '&returnurl=' URL);
//we're already logged in, so continue unless explicitly instructed to logout
$_SESSION = array();
header('Location: index.php');


Please note: The example requires that you have the "curl" extension installed for PHP and assumes an installation of PHP5.2 or higher. If it doesn't work for you try these instructions.

I hope that this web service will open up more BYOND-powered websites and services.


This should not be here his website no longer exists and he has not supplied any source for the CGI file mentioned.

I for one wouldn't of trusted this process without seeing the CGI file's source.
I concur; this post should be removed as it's outdated.

I've already got a replacement for this up and running, but haven't yet had the time to write a proper tutorial for it.
A.T.H.K wrote:
I for one wouldn't of trusted this process without seeing the CGI file's source.

Why not? So long as you're being redirected to then you know there is no way your password was stolen.
While that is true, I will never trust the OP .. although he is gone now :)
In response to A.T.H.K (#5)
A.T.H.K wrote:
While that is true, I will never trust the OP .. although he is gone now :) = Android Data
It doesn't matter if you are redirected to, the CGI script can still MITM the resultant session information which is nearly as bad as stealing the password directly.

BYOND needs to implement true third party auth, but of course, even with this new website update and historic demand, they have not.
I stand corrected, I agree with Airjoe though it is a wanted feature by alot of people...