Problem
Beam.init() in the web SDK currently auto-mints a guest account whenever no stored access token is found. The auto-login path is in web/src/core/Beam.ts:143-144:
if (!accessToken) {
// If no access token exists, login as a guest
tokenResponse = await this.clientServices.auth.loginAsGuest();
}There is no configuration knob to suppress this behavior. Every fresh page load on a site that calls Beam.init on boot - including bots, scrapers, and visitors who close the tab before doing anything - results in a brand-new guest dbid against the realm.
For projects with an open web surface this can inflate platform-side player counts by one to two orders of magnitude relative to the population of users who actually interacted with the game. It also produces a long tail of dbids that mint a token, hit a handful of bootstrap services, and are never seen again.
Proposal
Add an option to BeamConfig (working name: autoGuestLogin: boolean, default true for backwards compatibility) that, when set to false, skips the loginAsGuest() call inside the connect flow. With the option off, the SDK initializes in an unauthenticated state and waits for the integrator to call loginAsGuest() (or any other auth method) explicitly in response to a user action.
This lets integrators defer dbid creation until a visitor demonstrates intent (clicks "Play", connects a wallet, signs in via federated identity, etc.), which both reduces stray account creation and gives the integrator full control over when the account is minted.
Acceptance criteria
BeamConfig accepts an opt-out flag (name TBD) that disables the auto-guest path on Beam.init.- With the flag set,
Beam.init completes without calling /basic/auth/token and without writing token state.
- API calls that require auth raise a clear "not authenticated" error rather than silently triggering a guest login.
- Default behavior is unchanged so existing integrations are not affected.
Notes
- Unity SDK has a similar shape (
BeamContext initialization implies a guest login when no token is present); a follow-up parity issue may be warranted, but this issue is scoped to web.
Problem
Beam.init()in the web SDK currently auto-mints a guest account whenever no stored access token is found. The auto-login path is inweb/src/core/Beam.ts:143-144:There is no configuration knob to suppress this behavior. Every fresh page load on a site that calls
Beam.initon boot - including bots, scrapers, and visitors who close the tab before doing anything - results in a brand-new guest dbid against the realm.For projects with an open web surface this can inflate platform-side player counts by one to two orders of magnitude relative to the population of users who actually interacted with the game. It also produces a long tail of dbids that mint a token, hit a handful of bootstrap services, and are never seen again.
Proposal
Add an option to
BeamConfig(working name:autoGuestLogin: boolean, defaulttruefor backwards compatibility) that, when set tofalse, skips theloginAsGuest()call inside the connect flow. With the option off, the SDK initializes in an unauthenticated state and waits for the integrator to callloginAsGuest()(or any other auth method) explicitly in response to a user action.This lets integrators defer dbid creation until a visitor demonstrates intent (clicks "Play", connects a wallet, signs in via federated identity, etc.), which both reduces stray account creation and gives the integrator full control over when the account is minted.
Acceptance criteria
BeamConfigaccepts an opt-out flag (name TBD) that disables the auto-guest path onBeam.init.Beam.initcompletes without calling/basic/auth/tokenand without writing token state.Notes
BeamContextinitialization implies a guest login when no token is present); a follow-up parity issue may be warranted, but this issue is scoped to web.