Engineering Note

Keeping Gameplay Server-Authoritative

A practical breakdown of why the client should never own gameplay outcomes, and how I structure remotes, validation, and state so exploiters have nothing to grab onto.

Server-authoritative gameplay patterns used on a 31k-player game

Security

5 min read

Updated Mar 2026

The Core Rule

The client should never decide a gameplay outcome. It can request things — open this case, accept this trade — but the server validates, decides, and persists. If you only remember one thing about exploit resistance on Roblox, it's that.

Where Exploits Come From

-Remotes that trust whatever the client sends
-Outcomes (rolls, payouts, rewards) computed on the client
-State the client can edit and have the server believe

How I Structure It

01Client fires a remote

02Server checks permission and rate limits

03Server validates the request against real state

04Server computes and applies the outcome

05Server replicates the result back

Every remote assumes the caller might be hostile. Inputs are validated, abuse-prone calls are rate limited, and nothing the client says is taken at face value.

Why It's Worth It

Done up front, server authority costs a little extra structure. Skipped, it costs dupes, a broken economy, and emergency patches at the worst possible time. I'd rather build the foundation once.

Internal Links

service

Need a senior engineer on a system like this?

If your product is hitting the same kind of architectural, performance, or live-ops pressure, send the brief and I can help scope the highest-risk part first.

Worried About Exploiters?