From repo to live on Metaloot in six steps.

Your game runs on its own origin — untrusted code never shares the platform origin. When a player clicks Play, Metaloot redirects to your game URL with a scoped session token in the URL fragment (#mlt=...). The SDK picks it up, strips it, and from then on the player is signed in. The token is scoped to your game only: that player's saves, items, and playtime — nothing else. No token? The SDK runs in guest mode (all calls resolve to null) and your game keeps working.

Vendor the SDK so your game has zero runtime dependency on Metaloot being reachable:

curl -fsSL https://web-production-3191c.up.railway.app/sdk/metaloot.js -o vendor/metaloot.js

Load it before your game code in your entry HTML:

<script src="./vendor/metaloot.js"></script>

Then integrate what your game needs (all optional):

// Identity (user is null in guest mode — keep the game playable!)
const { user, totalSeconds } = await Metaloot.ready;

// Cloud saves (any JSON, ≤ 256 KB per slot)
await Metaloot.saves.put("main", { level: 3, gold: 120 });
const save = await Metaloot.saves.get("main"); // { data, updatedAt }

// Loot on the player's Metaloot profile
await Metaloot.items.grant({ key: "gold", name: "Gold", kind: "currency", icon: "🪙", quantity: 25 });
await Metaloot.items.grant({ key: "excalibur", name: "Excalibur", kind: "artifact",
                             icon: "⚔️", rarity: "legendary", quantity: 1, mode: "set" });

// Characters on their profile roster
await Metaloot.characters.upsert({ key: "hero", name: "Hero", class: "Knight", level: 4 });

// Playtime is automatic — no code needed.

Any static host or server: Railway, Cloudflare Pages, Vercel, Netlify, your own box. It just needs a public URL (https in production), and if your host injects PORT, bind to it. Note the final URL — that's your playUrl.

Sign in at https://web-production-3191c.up.railway.app, open your profile, and in the Developer panel click Reveal developer token. Tokens last 30 days.

export METALOOT_DEV_TOKEN="<paste token>"

In your repo root. Required: slug, name, playUrl.

{
  "slug": "your-slug",
  "name": "Your Game",
  "playUrl": "https://your-game.example.com",
  "genre": "Action Roguelike",
  "blurb": "One-line pitch shown on the game card.",
  "heroTagline": "Longer tagline for the game page hero.",
  "description": ["A paragraph about the game."],
  "gameplay": ["How it plays."],
  "keySystems": ["Dashing", "Crafting"]
}

curl -fsS -X POST https://web-production-3191c.up.railway.app/api/v1/games/register \
  -H "Authorization: Bearer $METALOOT_DEV_TOKEN" \
  -H "Content-Type: application/json" \
  -d @metaloot.json

Success returns your listingUrl and launchUrl. Errors are machine-readable — { "ok": false, "error": "invalid_play_url", "message": "..." } — fix the named field and re-run.

Open your listing and click Play. You should land in your game already signed in. Play a bit, then check your profile — playtime, saves, and granted loot are there.