I am trying to use a dedicated server with connection to a database via VaRest/Node.js. However, I am unable to figure out the best way to store a key or token on the dedicated server so it can authenticate with the Node.Js server. I was wondering if anyone knew secure way to store a key/token on a dedicated server without players being able to see or use the key as well. I can probably do it in some “hacky” way but I am wondering if there is a more “professional” way to do it.
… if you don’t send it to the clients, the clients won’t have it. I don’t think I understand what you’re getting at entirely?
It may be because I am new to dedicated servers so I may be missing something entirely. I am more meaning if I had for example a 100 servers and I wanted each one to have its own unique key that is stored locally. What would be the best way to store and access that key?
It’s unclear what you mean by “without players being able to see or use the key”:
- If your concern is that connected clients could access data that isn’t replicated, on the dedicated server, then you don’t have to worry. So if that’s the case there’s no need to elaborate further
- If your concern is that the administrator of a player-hosted dedicated server could access this data, then indeed things will be more difficult to do properly.
You can’t store the key in a file, that would make it accessible too easily and that would not match the temporary nature of this data. Therefore, you’d have to store it in memory, preferably encrypted. The way to do this is simple, you just need to have a variable in some object, that contains the encrypted key. You also need to make sure that at no point a variable stores the unencrypted key.
However the hosting provider could still intercept the key, in which case your best bet is to implement or use some kind of key exchange algorithm. And to use encryption in your exchanges. But at this point this is starting to look more and more overkill.
It’s likely that you won’t be able to guarantee that communication from a dedicated server you don’t own, is going to be reliable, even if you made that server’s code yourself. Therefore, along with some basic protection to discourage script kiddies, I’d advise always validating the data that you receive on the NodeJS side, even if it comes from an authenticated source. If that data isn’t coherent / is trying to exploit your server, then refuse it and request a reset of the token.
… At least that’s how I would do it, not knowing much about the topic 
Is this a question about how to store something? You could store it any way you wanted ,in an unreal ini file, in a regular text file, in a database, in some kind of custom key storage service, wherever.