Be a Supporter!

Browse Sections

Newgrounds Wiki: 05 - Encrypted Calls

The Newgrounds.IO allows you to use encryption to help obfuscate your calls. This obfuscation makes it harder for users to grab and modify your JSON objects for the purposes of cheating.

It is important to note that this is by no means a fully secure option. Your applications need an encryption key that can most likely be accessed in non-compiled source code with ease. You should always put measures into your applications to assist with cheat prevention and moderate the things you let users post and unlock.

If you chose to use encryption, we currently support RC4 and 128-bit AES ciphers. Your encrypted data must also be converted from binary to either Hex or Base64 so it can be transmitted as a string.

If reading all of that makes your brain hurt, the good news is that using encryption is completely optional. You will need to select what cipher/encoding your app is going to use in the API Tools section of your project, or opt out of using encryption altogether.

If you do enable encryption, any calls that unlock or post things to a user account MUST be encrypted.

To post an encrypted call, you first simply convert your call object to a JSON string. If you were unlocking a medal with an id of 123456, that call object would look like:


"component": "Medal.unlock",

"parameters": {

"id": 123456



Next, you would encrypt that JSON string with your preferred cipher. This should result in a binary value or byte array depending on your environment. Some older encryption libraries will actually encrypt directly to Hex. If this is the case, you can skip the next step.

Once you have your encrypted binary, you simply need to encode it to a Hex or Base64 string (whatever method you selected in your API Tools setup).

For the sake of this example, lets say your encrypted string is now (obviously your actual strings will be MUCH longer):


You will post this using a "secure call" object. This is simply a call object with a single "secure" property. Your final "input" object will look something like this:


    "app_id": 'some_app_id',

    "session_id": 'some_session_id',

    "call": {

        "secure": "JHGjkscg78gasdgc9iboHOoijvc98dsklK99078SCNlkCHisdafvc="