I am currently writing a network multiplayer game that uses a lobby system to find available matches for players to join. The list of available matches is served and updated by a web application via a simple REST API.
For example, when a player enters the lobby and creates a new match for other players to join, the game will send a POST request to the web application, which will add the match to the list. For another example, if this same player then decides they don't want to host a match, they would click a button that says "cancel match" or something like that. The game will send a DELETE request to the web application, which will remove the match from the list.
As far as security goes, I'm concerned that a smart player would be able to figure out how to use the API for my web application via cURL (or some other tool for making HTTP requests) to send malicious requests (like removing someone else's match from the list, for example). To state my goals clearly: I want my web application to be able to verify that incoming requests are coming from the game, and not from some other application like cURL, before processing them.
My instincts tell me that the best solution is to use a JWT token. The game will authenticate itself to the web application, which will generate a token and give it to the game. Then, the game will provide the token every time it makes a request. The question is: how do I get the game to authenticate itself (and, thus, receive a token from the web app) in a way that a malicious user couldn't do using a tool like cURL?
