Hytale Server Manager (HSM)

A simple tool to download and manage your Hytale dedicated server lifecycle.

What Does It Do?

• Logs you into your Hytale account
• Downloads the Hytale server files for you
• Manages game sessions so your server can run

Quick Start

Download the latest release for your operating system from the Releases Page.

Available for:

• Windows
• macOS (Intel & Apple Silicon)
• Linux (x64 & ARM)

Alternativly, you can also run HSM as a docker container

docker pull highcard/hsm:stable

---

Usage - Single User Mode

Login to Hytale

hsm login

This will open your browser to log in with your Hytale account.

Download the Server

With Binary:

hsm download

Start the Server

With Binary:

hsm start

With Docker:

docker run -it --rm \
  -v $(pwd):/data \
  -v $(pwd)/config:/home/hsm/.config \
  highcard/hsm download

Docker runs will ask for login credentials automatically, you don't need to call login manually.

The server files will be downloaded and extracted to your current folder.

Usage - Game Hosting providers

Authentication

For Game Hosting Providers it is highly recommended to deploy HSM as a service to your infrastructure. To manage the retrieval of game sessions, download URLs and anything else, a JWKS/JWT authentication flow can be used. HSM Service will automatically secure every endpoint when you run it with the --jwks-endpoint flag (e.g., hsm serve --jwks-endpoint https://your-auth-server/.well-known/jwks.json).

For an example, take a look at the hosted-auth example.

This works very well with Kubernetes Service accounts too and is the way how it is used at druid.gg

Using Kubernetes Service Account Authentication

The simplest way to enable authentication in Kubernetes is using service accounts:

hsm:
  useServiceAccount: true

This automatically configures HSM to validate JWTs from Kubernetes service accounts using the cluster's JWKS endpoint.

Custom CA Certificates for Kubernetes

When running in Kubernetes with custom CA certificates (e.g., for internal JWKS endpoints with self-signed certificates), you can specify a CA certificate file:

hsm serve --jwks-endpoint https://your-auth-server/.well-known/jwks.json --jwks-ca-cert /etc/ssl/certs/ca.crt

In Helm, configure it using:

hsm:
  jwks_endpoint: "https://your-auth-server/.well-known/jwks.json"
  jwks_ca_cert: "/etc/ssl/certs/ca.crt"
  jwks_ca_cert_secret: "your-ca-cert-secret"

The secret should contain a ca.crt key with your CA certificate.

No Authentication

If you disable authentication, make sure the service is not reachable from the outside world or by any entity (including your customers). Otherwise someone can generate unlimited game sessions through your account. Depending on your setup, authentication can be omitted if the customer does not have enough permission to abuse the session generation. This highly depends on your exact setup!

Checkout the no-auth hosted-no-auth example.

Run HSM as Service

Helm Chart

Add this repository to Helm:

helm repo add hsm https://highcard-dev.github.io/hsm/
helm repo update

Install the chart:

helm install hsm hsm/hsm

Docker Container

docker run -it --rm \
  -v $(pwd)/config:/home/hsm/.config \
  -p 8080:8080 \
  highcard/hsm serve

Binary

hsm serve

When no session.json is found, use the link in the console to authenticate yourself.

Retreive download url for latest game version

curl -X POST http://localhost:8080/download

Returns a presigned URL for the serverfile archive.

Get Game Session

curl -X POST http://localhost:8080/game-session

This gives you the tokens needed to start your Hytale server.

REST API

TODO: Readme