Who Has Authority? (Server Or Client) And When?

After years of working in Unreal Engine, I believe I have a fairly solid understanding of what “Authority” means. Yet, there are many instances in my development efforts currently where I think I know that the server has authority “here” and that the client has authority “here”, but I am sorely mistaken.

The following is a list of instances where the server has authority and where the client does:

  • Server has authority:
    • Within the scope of a server RPC
    • Over an actor if it is the one that spawned it
    • Singleton objects like the game mode and game state
  • Client has authority:
    • Within the scope of a client RPC
    • Over its player controller
      • Within the scope of functions bound to the input component of a pawn
    • Over an actor if it is the one that spawned it

What am I missing from this list? Any situations that come to mind in your development efforts that would help identify when the server has authority and when the client does would be extremely useful and most welcome.

What I hope to achieve from this thread is to be able to compile a master list of every possible instance where the server has authority and when the client does so that it could be easily referenced. I think that would be useful.

Thanks for reading and contributing to this thread :slight_smile:

I don’t think “within a client RPC” means that the client necessarily has authority.
You can broadcast-RPC or send-RPC to actor copies on clients, where the client does not have authority over that object.

Looks like you are mixing two concepts.

Authority is simply the one who spawned the Actor. Replication is only possible if spawned by the server and the Actor is set to replicate.

The other concept is Ownership which can enable a client to use Server RPC´s (RunOnServer) or the Server to use Client RPC´s. (RunOnOwner).

Then there is the concept of Relevancy which if set to OnlyRelevantToOwner obviously only replicate itself to whoever owns the Actor.

Thanks for your response. I have a few questions for you.

  • So if “Authority” is defined as who spawned an actor (server or client), then what is “Ownership”?
  • You said I am mixing the concepts of “Authority” and “Ownership”, can you elaborate on that more?
  • Is the concept of “Ownership” in any way related to “Authority” or is it a completely unrelated concept?

Ownership is which one of the connections (Players) that owns the Actor. It can be none (null) and it can be changed during the game with SetOwner while Authority never changes.

You can always test things. For example:

Is wrong:

Printing “Has Authority” on the player controller:
There are two prints from the server because the server has copies of both controllers, and they are both true because the server has authority on both. The client only has one print that’s false because it only has its own controller and does not have authority over it.

Printing “Has Authority” on the player character:
There are four prints because both the server and the client have copies of both characters. The server has authority over both its own character & the client’s character, whereas the client has authority over neither.

This is with three players (left is from player controller, right is from player character):

And this is on a dedicated server (left is controller, right is character):

From the documentation, it says:

The Switch Has Authority node is used to check if the script is being executed on a machine that has Network Authority (in most use cases, this would mean Server) or if its being executed on a remote machine (in most use cases, this would be the Client)."

I think the “in most cases” is referring to when the client spawns a replicated actor, which makes the client the authority; though, because the client spawned it, it won’t spawn for all players because the client is not the server. When spawning a replicated actor on the server, the actor spawns for all players, so in order to have a client spawn an object for all players, you need to have the client request the server to do so.

So the literal answer to the question “Who Has Authority?” is:

But the “in most cases” answer is:

In most use cases, this would mean Server


^ This ^

With Unreal its generally better to figure out stuff on your own like midgunner hinted at. Why? Since UE4 shipped there’s been discussion about the way Epic teaches things and the way docs / tutorials are put together to help steer devs. Epic are the smartest guys in the room regarding engine tech. But as regards teaching stuff? They’re a bit too close to the material. With multiplayer especially, a lot of info is arguably wrong deceptive! Example.

Has-Authority gets used everywhere in every example. But its the most misleading over-hyped check there is imo. Why? Because its not that helpful when dealing with actual practical scenarios where you need to know the Server POV vs Client1 POV vs Client2 POV…

Example: Client1 attempts to kill Client2 using a rocket launcher. All 3 need to see the weapon firing if they’re close enough. Client1 needs to hear weapon Sound-FX, but not necessarily the Server if they’re far away. But the Server needs to handle all the logic checks and ensure weapon damage is enough to kill Client2. If so, Client2 needs to ragdoll and play various Sound-FX / VFX that the Server and Client1 may need to see / hear depending on distance / game-style / goals. But Client1 will definitely need to get gameplay feedback and witness Client2 ragdoll at least. So what does all that mean? Its often more helpful to just stick with the checks below instead of using or relying on Has-Authority. :wink:

(NOT) IsStandalone
(NOT) IsServer
(NOT ) IsLocallyControlled

There’s also the thorny issue of ownership and how you design things when non-server players have no ownership on most items in the game, and yet still need to interact with everything or call RPCs indirectly. Some things may need to be fully replicated fully visually. But others may not be, as the Server has stats on everything anyway. So you have to design things carefully. A common question is why can’t I call an RPC on this pickup! :stuck_out_tongue:


I tried to follow what you posted in this other thread.

What is IsStandalone = true? Did you mean if APawn::GetNetMode() == ENetMode::NM_Standalone?

  • Does “NOT IsStandalone” equate to APawn::GetNetMode() != ENetMode::NM_Standalone?
  • I’ve never seen IsServer before. Can you explain what that is?

The server has authority.
The server has authority.
The server has authority.
This is unreal.
The server has authority.
The server has authority.
The server has authority.

The user can press keys on the client. And you can do whatever you want on that single client. But
if you want all the clients to look the same. then You have to send that keypress to the server right?

And then you hopefully conclude…

The server has authority.
The server has authority.
The server has authority.
The server has authority.
The server has authority.

Keep in mind.


AS the developer to decide whats going to be “Authorized” by running it on the server. And what is not “Authorized” By running it on the clientt.

A user presses a key, a sound goes off on the client. You get to decide wether this is going to be a sound on all the clients or just the dude that pressed the key? If you want all the clients to hear it then you have to push it to them some how. Luckily the server is there which is used to connect all the clients. And the clients can all hear the same sound because the SERVER AUthorized it.

Good Luck. And Have Fun.

Without the use of RPCs, how can you be sure that a block of code or function will be executed on the server or the client?

I answered in BP-speak (sorry). Been using UE w/o source to focus more on gameplay.
Actually I’m hoping to never have to write another line of C++ ever again (if I’m honest).
Maybe that’s a bit hopeful or absolutely totally unrealistic though. I guess time will tell.
So GarnerP57 / jwatte or another will have to jump in and translate that BP ‘spaghetti’.
Or if no one follows up, you can always right-click on a BP node and click go-to-source. :wink:

1 Like

I’ve just never heard of IsServer before.

Its defined in UKismetSystemLibrary.

bool UKismetSystemLibrary::IsServer(UObject* WorldContextObject)
	UWorld* World = GEngine->GetWorldFromContextObject(WorldContextObject, EGetWorldErrorMode::LogAndReturnNull);
	return World ? (World->GetNetMode() != NM_Client) : false;

Thanks for mentioning that thought, this will help!

1 Like

Also, have a look at the Replication Compendium.
Then read it again, and once more :stuck_out_tongue_closed_eyes:

When I have a replication problem, I’m back reading it :grin:

1 Like

That is a really solid reference. I’m going to turn it into an audio book to listen to in the car lol.

he is right, my idea of all this is that server must have the authority and only him can perform the final word, otherwise you can have a leak on client side where hackers can do dirty things pheraps due you are authorizing client to have more control where should not. but thats all about how you need to be, but i believe server can have the last word of everything always should be like that, thats what a Authoritative Server means and thats what its used to make mmo and online games where are secured.