Seamless sign-in
Players click Play on Metaloot and land in your game already authenticated. A scoped token travels in the URL fragment β your origin, your code, zero login screens.
For Game Developers
Add one script tag, register with one API call, and your browser game gets accounts, cloud saves, playtime tracking, and inventory on every player's Metaloot profile. Simple enough to hand to an agent: point it at /llms.txt and say βdeploy on Metaloot.β
Players click Play on Metaloot and land in your game already authenticated. A scoped token travels in the URL fragment β your origin, your code, zero login screens.
Any JSON, up to 256 KB per slot. Metaloot.saves.put('main', state) and the run survives any device.
The SDK heartbeats while the tab is visible. Hours-per-game land on the player's profile with zero game code.
Grant loot from your game; it renders on the player's Metaloot profile β trophy shelf, vault, and currencies.
Report the player's roster β classes, levels, stats β and it shows up on their profile.
Your build stays on your host (Railway, Cloudflare, Vercel, bare metal). Metaloot is the player layer, not a walled garden.
Security model
Published games are third-party code, so they never run on the Metaloot origin β a malicious build can't touch platform sessions. Instead, the Play button mints a short-lived token scoped to one game and one player, delivered in the URL fragment so it never appears in server logs.
That token can read and write its own game's saves, items, and playtime for that player β and nothing else. Grants made from client code are convenient but forgeable (players own their devtools); when loot needs to be trustworthy, issue it from your game's backend using the same API.