XLogin
Authentication System with Premium Auto-Login, 2FA & Bedrock Support
Built on XCore — The modular Minecraft server framework
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Why XLogin?A complete authentication system with per-player online-mode (JPremium-like), two-factor authentication, cross-server sessions, Velocity/BungeeCord proxy support, and a full security suite — all in a single JAR that works on Velocity, BungeeCord, AND Paper.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Premium Auto-Login (Per-Player Online-Mode)Premium players are verified with Mojang and connect seamlessly — no
/register or /login needed. Works both as a standalone server (Netty pipeline injection) and behind a proxy (same JAR handles everything).- Single JAR — Works on Velocity, BungeeCord, AND as XCore addon. No separate proxy plugin.
- Standalone — Netty pipeline injection, same technique as JPremium (AES/CFB8 encryption)
- Proxy networks — Proxy-level verification with smart routing (premium/session players skip auth server)
- Auto-registration — New premium players are automatically registered on first join
- Skin applied automatically — Textures fetched from Mojang's session server
- Password masking —
/loginand/registerpasswords hidden from console logs
Two modes:
- STRICT (
premium-strict-mode: true) — Any Mojang username is forced through verification. Cracked players cannot use a premium name./premiumand/unpremiumcommands are disabled. Best for maximum security. - OPT-IN (
premium-strict-mode: false) — Only players who used/premiumare verified. Everyone goes through/registerfirst, then can opt-in with/premium. Best for mixed servers.
Authentication- Login / Register —
/login <password>,/register <password> <confirm> - Password Security — SHA-256 with per-account salt, configurable strength requirements
- Session System — Database-backed sessions, auto-login on reconnect within timeout
- Persistent Prompts — Title, subtitle, action bar, boss bar countdown — all configurable, persist until auth
- Last Login Info — Shows date and IP of last login after authentication
Bedrock Support (Geyser / Floodgate)- Automatic authentication — Bedrock players are authenticated via Xbox Live, no
/loginor/registerneeded - Auto-registration — New Bedrock players are auto-registered on first join with a random password
- Floodgate detection — Detected via UUID prefix (Geyser/Floodgate standard)
- Configurable —
bedrock.auto-login: true/falsein config - Works with proxy — Bedrock players are instantly redirected to lobby like premium players
Premium Username Change (Auto-Migration)- Automatic detection — When a premium player changes their Mojang username, XLogin detects the mismatch via the stored Mojang UUID
- Seamless migration — Account, sessions, and 2FA data are migrated to the new UUID in a single transaction
- Cross-server sync — A
MIGRATEevent is published so all servers in the network are notified - Zero data loss — Password, premium flag, email, 2FA — everything is preserved
UUID Modes- OFFLINE (default) — All players use offline UUIDs (derived from name). Simple and safe.
- REAL — Premium players use their real Mojang UUID. Enables cosmetics on Lunar/Badlion clients. Cracked players still use offline UUIDs. Set via Paper's PlayerProfile API.
Warning: Changing uuid-mode after players have data is destructive. Set this once at server setup.
Email Password Recovery/email set <email>— Link an email to your account/email remove— Remove linked email/recover <username>— Request recovery code (sent via email)/recover <username> <code> <newpassword>— Reset password- SMTP support — Gmail, Outlook, custom SMTP servers
- Rate limited — Configurable cooldown between requests
- Time-limited codes — 6-digit codes expire after configurable duration
Two-Factor Authentication (2FA)TOTP support compatible with Google Authenticator, Authy, Microsoft Authenticator, and any TOTP app.
/2fa setup— Generate a secret key, add to your authenticator app/2fa <code>— Verify the 6-digit code to confirm setup or complete login/2fa disable— Remove 2FA from your account- RFC 6238 compliant — Standard TOTP implementation, no external dependencies
- Premium players bypass 2FA — Mojang handshake is already cryptographic proof of identity
Proxy Support (BungeeCord / Velocity)Same
Smart Routing
The proxy intelligently routes players based on their authentication state:
Server Roles
Setup
Cross-Server Sessions
Sessions are stored in XCore's shared database. All servers see the same sessions. Redis recommended for instant propagation.
XLogin.jar on the proxy AND on backend servers. No separate plugin needed.Smart Routing
The proxy intelligently routes players based on their authentication state:
- Premium player → Mojang verified → routed directly to lobby (skips auth server entirely)
- Valid session → routed directly to lobby (skips auth server)
- New/expired player → routed to AUTH server →
/loginor/register→ redirected to lobby
Server Roles
- AUTH — Login/register server. Players authenticate here and are redirected to the lobby.
- LOBBY — Main hub. Session auto-login. No valid session = kicked.
- GAME — Sub-servers. Session auto-login. No valid session = kicked.
Setup
- Place
XLogin.jarin the proxy'splugins/folder - Place
XLogin.jarinplugins/XCore/addons/on each backend server - Configure the proxy's
config.ymlwith the same database and Redis as XCore - Configure each backend's
config.ymlwith the appropriate role (AUTH, LOBBY, GAME)
Cross-Server Sessions
Sessions are stored in XCore's shared database. All servers see the same sessions. Redis recommended for instant propagation.
Security- IP Rate Limiting — Configurable max failed attempts per IP within a time window
- Temporary IP Bans — Auto-ban IPs after exceeding rate limit
- IP Lock — Only allow login from the last known IP
- Max Accounts Per IP — Limit registrations from the same address
- Name Validation — Regex pattern + blocked word list
- Password Strength — Configurable min/max length, optional uppercase + lowercase + number requirement
- Login Timeout — Auto-kick if player doesn't authenticate in time
Player RestrictionsWhile unauthenticated, players are completely restricted:
- Movement — Position locked, head rotation allowed
- Chat — Blocked
- Commands — Only
/login,/register,/2fa, and configured allowed commands - Interactions — Block break/place, inventory, item drop/pickup
- Combat — Damage give/receive blocked
- Vehicles — Cannot enter
- Portals — Blocked
- Teleportation — Non-plugin teleports blocked
- Visibility — Hidden from other players + blindness effect
- Join/Quit Messages — Hidden until authenticated
Admin Tools- Force Login —
/xlogin forcelogin <player>— Authenticate a player without password - Reset Password —
/xlogin resetpassword <player> <new> - Account Info —
/xlogin info <player>— Registration date, IPs, login count - IP Lookup —
/xlogin accounts <ip>— All accounts from a given IP - Unregister —
/unregister <player>— Delete an account - Set Spawn —
/xlogin setspawn— Set the login spawn point - AuthMe Import —
/xlogin import authme <table>— Migrate from AuthMe - JPremium Import —
/xlogin import jpremium <table>— Migrate from JPremium
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Commands
Player
Code:
/login <password> — Login to your account
/register <password> <confirm> — Register a new account
/changepassword <old> <new> — Change your password
/logout — Logout and disconnect
/premium — Enable premium auto-login
/unpremium — Disable premium auto-login
/2fa setup — Set up 2FA
/2fa <code> — Verify 2FA code
/2fa disable — Disable 2FA
/email set <email> — Link recovery email
/email remove — Remove linked email
/recover <username> — Request recovery code
/recover <username> <code> <newpw> — Reset passwordAdmin
Code:
/xlogin reload — Reload config & lang
/xlogin setspawn — Set login spawn
/xlogin forcelogin <player> — Force-authenticate
/xlogin resetpassword <player> <pw> — Reset password
/xlogin info <player> — Account info
/xlogin accounts <ip> — IP lookup
/xlogin import authme <table> — Import from AuthMe
/xlogin import jpremium <table> — Import from JPremium
/unregister <player> — Delete account━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Permissions
Code:
xlogin.admin — All admin commands (reload, setspawn, forcelogin, resetpassword, info, accounts, import, unregister)
xlogin.notify — Receive admin notifications (failed logins, registrations, new players)
xlogin.update — Receive update notifications on join━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Requirements☐ Paper 1.21.1+ (Folia compatible) — for standalone mode
☐ Velocity 3.3+ or BungeeCord — for proxy mode
☐ Java 21+
☐ XCore (framework, for backend servers)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
InstallationStandalone (single server)
1. Place
XCore.jar in plugins/2. Place
XLogin.jar in plugins/XCore/addons/3. Start the server and configure
Proxy network
1. Place
XLogin.jar in the proxy's plugins/ folder2. Place
XLogin.jar in plugins/XCore/addons/ on each backend3. Configure both proxy and backend configs
Same JAR file — auto-detects the platform.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Links
Documentation
Discord Website━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Screenshots━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Made with
by Xyness
