Over the past 2.5 months, I've been heads-down building the critical infrastructure that makes SWGRealms different from traditional SWG hosting. While much of this work is invisible to players, it's the foundation that enables galaxy owners to run communities without worrying about security breaches, and gives players confidence that their personal information stays private.

The Privacy Problem We're Solving

In traditional SWG hosting, galaxy owners need database access to manage accounts, handle bans, and run their servers. This makes perfect sense for a single community, but it creates a serious privacy issue: galaxy owners can see player passwords (even if hashed), email addresses, IP addresses, and login history.

Think about it like this: if you play on three different galaxies, three different server owners have access to your personal information. If any one of them gets hacked, your data from all three communities could be exposed. And if you reuse passwords (many do, even though they shouldn't), the problem multiplies.

This isn't a criticism of galaxy owners. They're running communities, not security operations. But asking them to be both creates a difficult situation where well-meaning server admins become responsible for protecting sensitive user data without the resources or expertise to do it properly.

Additionally in a multi-galaxy service like SWGRealms players want persistent identity but they also want to be able to play multiple galaxies in peace without galaxy owners knowing where else they're playing.

The Solution: Privacy by Architecture

Over the past few months, I've completely restructured how Core3 (the SWG server software) handles authentication and character management. Instead of galaxy owners having direct database access to player accounts, all account operations now flow through a centralized API server that I built, the SWGRealms API server.

What this means in practice:

When you connect to SWGRealms, here's what happens:

  1. You enter your username and password into the SWGRealms login server
  2. The login server validates your credentials through the SWGRealms API server
  3. An encrypted session token is returned to your client.
  4. You see a list of galaxies and select which one to join
  5. When you "zone in" to your chosen galaxy, the galaxy server asks the API server "Is this session valid?"
  6. The API server responds with "Yes, this is player #12345" or "No, invalid session"
  7. The galaxy loads your characters and you start playing

This is an important distinction from traditional hosting: you don't log in directly to a galaxy. The SWGRealms login server and API server handle all the sensitive authentication and private data before you ever connect to a galaxy server.

The galaxy owner never sees your password, never sees your email, and never sees your real IP address. Instead, they receive an encrypted IP address that's useless for tracking you down or launching attacks against your home network. This protects you from DDoS attacks or doxxing attempts.

Galaxy owners get exactly the information they need to run their community (your player ID, character names, ban status) and nothing more. Your account ID and encrypted IP is unique to each galaxy so they can't coordinate with other galaxies to grief you. They can still report players for abuse and the SWGRealms staff can validate the actual user and the real IP address they're connecting from to take any needed actions such as blocking in the firewall or account bans.

For galaxy owners, SWGRealms takes on the security and scale so you're no longer responsible for securing sensitive player data. You can focus on building great content and managing your community without worrying about being the next security breach headline. You also don't have to worry about someone on your staff doing inappropriate things with people's personal data. Even galaxy customer service representatives are restricted to just galaxy-specific data; they can't access personal account information.

For the community, this makes it easy to launch a new server without having to worry about sign-ups, and getting people connected, dealing with client configurations etc, all of that is handled by SWGRealms and the central services. You can go from launch to a thousand players online in an hour if your idea is popular enough! It also makes it easy and safe for players to try different servers out to see what the other communities and servers are like.

Development Work By The Numbers

To give you a sense of the work since the last developer update:

  • 59,543 lines of code written (excluding documentation)
  • 170 commits across 4 different codebases
  • ~1,000 pages if you printed it all out
  • Equivalent to writing 4-5 novels worth of technical content

The largest piece was building a complete network protocol decoder from scratch (more on that below) which alone represents about 82% of the code. This tool converts packet captures into a format we can use (JSON) for testing complex tasks. I used it to analyze old packet captures I personally collected when the game was live, filling in gaps in what we had in Core3's implementation. It also enables automated testing. With each code change, we can now run automated login sequences, test the server and various admin functions, and verify logout. Over time this will become the foundation for scaled load testing to see how well SWGRealms can scale to thousands of players online at one time. The goal is stable, repeatable deployments, and new server launches that go off without a hitch due to our ability to "load test" them in advance of players logging in.

What Got Built

1. Privacy-First API Layer (SWGRealms API Server)

The SWGRealms API authentication service now handles everything account-related:

  • Login validation with your credentials never leaving the secure system
  • Account ban management without exposing player information
  • Character creation and name reservation
  • Per-galaxy ban lists (each galaxy controls their own community standards)
  • Session management with one-time-use tokens to prevent replay attacks
  • IP address encryption, galaxy servers only receive encrypted IPs, protecting players from DDoS or doxxing
  • IP proxy capability to shield galaxies against various network attacks
  • Universe-wide banned account blocking across all galaxies, keeping load off individual galaxy servers
  • Galaxy owners and customer service reps can still manage character and account bans for their specific galaxy

2. Protocol Research Toolkit (swgdump)

SWG uses a custom network protocol that's quite complex. It has encryption, packet reordering, fragmentation, and a dozen other technical details. To properly test our authentication system and understand exactly what's happening on the network, I built a complete packet decoder from scratch.

Think of it like building a microscope to examine network traffic. This tool can read captured network data and tell us exactly what messages are being sent, in what order, and with what content. It's already proven invaluable for debugging issues and will be essential for future protocol analysis.

The cool part? I validated it against existing tools and it decodes packets with 100% accuracy including support for pre-CU and NGE packet captures. I tested it against 2 million packets I personally captured from servers when the game was live.

3. Automated Testing Infrastructure

To make sure our authentication changes don't break existing functionality, I built an automated testing tool that can:

  • Log into servers automatically
  • Create and delete characters programmatically
  • Navigate through the zone connection process
  • Automate commands such as admin commands like /setfirstname to test character changes
  • Generate reports in a format that testing systems can verify

This means every time I make a change to the SWGRealms API code, I can automatically test that login still works, character creation still works, name changes work, and nothing broke. This kind of automation is critical for maintaining quality as the platform grows.

What This Enables

All of this infrastructure work creates the foundation for features that weren't previously possible:

Cross-Galaxy Character Names: Because we have centralized identity and comprehensive APIs, we can let players keep their name across galaxies for shared universal names.

Unified Ban Management: If a player is toxic across multiple galaxies, communities can share ban information without sharing the personal data behind it.

Galaxy Management Dashboards: With complete character and account APIs, galaxy owners can get admin interfaces instead of raw database queries.

Automated Testing: Before pushing updates to live galaxies, we automatically verify everything is working as expected, limiting the number of times players or galaxy owners have to find bugs after we update the server.

Protocol-Level Debugging: When weird issues happen, we can capture network traffic and see exactly what's going wrong.

For the Technical Crowd

Authentication Architecture:

The new architecture moves from direct MySQL access to API-mediated access using REST endpoints. Core3 now uses a persistent HTTP client with connection reuse, reducing API latency by 90% compared to creating new connections for each request.

All account operations (login, ban management, character creation) flow through the SWGRealms API server, which maintains the authoritative account database. Galaxy servers receive opaque identifiers and minimal account metadata.

Session tokens use encrypted IP addresses (EIP) for privacy-preserving session validation without exposing end-user/player details.

Code Statistics:

  • Core3: +7,915 / -4,657 lines (SWGRealmsAPI integration)
  • SWGRealms API Server: +5,799 / -589 lines (complete API implementation)
  • swgdump: +45,577 / -6,618 lines (protocol decoder from scratch)
  • swgrealms-platform: +252 / -169 lines (username validation)

Protocol Decoder (swgdump):

Built a complete C++17 implementation of SWG's custom UDP transport layer:

  • Reliable channel state management with reordering and fragment aggregation
  • Multiple encryption passes (identity, XOR, XOR buffer with LCG key stream)
  • CRC verification (1-4 byte CRC-32)
  • Support for both Pre-CU and NGE protocol variants
  • Modular parser registry for extensibility
  • 100% validation against reference implementations

The decoder successfully parses all baseline message types (PLAY, CREO, TANO, SHIP, etc.) and object controller messages, with structured JSON output for each.

Testing Infrastructure:

Created new client with an action-based architecture:

  • LoginAccountAction: automated credential validation
  • CreateCharacterAction: character creation with full customization
  • ConnectToZoneAction: zone connection and scene loading verification
  • Action dependency management for complex test scenarios
  • JSON output for CI/CD integration

Looking Forward

This foundation work enables the next phase:

Automated Galaxy Provisioning: With all the APIs in place, spinning up new galaxies becomes a matter of clicking a button rather than manual server configuration.

Galaxy Management Dashboard: Now that we have complete character and galaxy APIs, I can build the web interface that lets galaxy owners manage their communities without touching databases directly.

Multi-Galaxy Analytics: With centralized data (but protected privacy), we can show galaxy owners how their community is growing without compromising individual player privacy.

Advanced Security Features: The API architecture makes it straightforward to add features like two factor authentication (2FA), anomaly detection, and account security alerts.

The Boring But Critical Work

I know this update is less flashy than "look at this cool new feature!" But this is the work that makes SWGRealms fundamentally different from traditional hosting. It's the difference between hoping nobody hacks your server and knowing that even if they do, player passwords and personal information aren't at risk.

It's the foundation that lets us build features that would be impossible with direct database access. And it's the infrastructure that lets the platform scale from a handful of beta galaxies to potentially hundreds of communities without falling apart.

Think of it like building a house. You don't see the foundation once the walls are up, but everything depends on getting it right.

Development Philosophy

One thing I've learned from decades in this space: security is job zero. You can't bolt it on later. Every design decision in this update prioritizes protecting player privacy and enabling galaxy owners to focus on their communities rather than security operations.

The privacy architecture isn't just about compliance or checking boxes. It's about building trust. Players should trust that their information is protected. Galaxy owners should trust that they won't be responsible for the next data breach.

Timeline Reality Check

This work took 2.5 months of concentrated effort, roughly the equivalent of writing 4-5 novels worth of technical content, all validated to work correctly. For a volunteer project, that's the reality of building something properly rather than cutting corners.

I'd rather take the time to get the foundation right than rush forward and have to rebuild it later when we discover the shortcuts don't scale or don't protect privacy properly.

What's Next

With the authentication foundation complete, I'm moving into:

  1. Galaxy Automation: Launching new galaxies that leverage the SWGRealms API and development pipeline
  2. Galaxy Management Dashboard: Visual tools for galaxy owners to manage their communities
  3. Analytics Platform: Show galaxy owners community health without compromising privacy
  4. Documentation: Comprehensive guides for galaxy owners integrating with the platform

Questions about the privacy architecture or interested in beta testing? Contact us at [email protected].