MaxAuth - Speedgot

MaxAuth -----

Modern proxy-first authentication plugin for Minecraft networks

MaxAuth is a modern proxy-first authentication plugin for Minecraft networks.

It protects cracked accounts with passwords, automatically authenticates premium Java players, supports Bedrock/Floodgate players, manages UUIDs, sessions, two-factor authentication, captcha maps, backend protection, and safe migration from JPremium.

MaxAuth is based on the authentication concept and behavior of JPremium and was built as a modern successor for servers that want a cleaner, more configurable, and actively maintainable authentication system.

What is MaxAuth?
MaxAuth is not just a simple login/register plugin.

It is a complete authentication layer for Minecraft networks running behind Velocity or BungeeCord.
The proxy decides who the player is, what UUID should be used, whether the player is premium/cracked/Bedrock, whether they need to log in, and where they should be sent after authentication.

The backend plugin protects players while they are not authenticated yet.

How does it work?
When a player joins the proxy, MaxAuth checks their account type and stored profile.

Premium players can be verified and logged in automatically.
Cracked players are sent to a limbo/auth server and must use /register or /login.
Session users can be logged in automatically when they reconnect from the same address.
Backend servers receive trusted auth state from the proxy and restrict unauthenticated players.

During authorization, the backend can block movement, interactions, chat, commands, inventory usage, set player time/weather, show titles, bossbars, actionbars, and even display a captcha map.

✅ Main Features

Proxy-first authentication system
Velocity and BungeeCord support
Paper/Spigot backend support
Premium and cracked account handling
Automatic premium player registration
Password registration and login
Optional password confirmation
Modern password hashing plus legacy hash migration support
Safe password regex and weak-password checks
Manual and automatic sessions
Email password recovery
Optional TOTP two-factor authentication
Optional captcha map for new cracked registrations
Limbo servers for unauthenticated players
Main-server redirects after /login and /register
Last-server redirection
Backend protection through access tokens and trusted proxy IPs
SQLite, MySQL, MariaDB, and PostgreSQL support
Configurable HikariCP connection pool
Configurable messages with chat, title, subtitle, bossbar, actionbar, and kick screen types
Hex colors and gradients in messages
Admin commands under /maxauth and /mauth
Discord audit webhooks
Automatic config/message updates for new settings
JPremium database migration helper

Supported Password Hashes
MaxAuth supports modern password hashing algorithms for newly created or rehashed cracked-player passwords.

Recommended for new passwords:

ARGON2ID
BCRYPT

Other configurable algorithms:

PBKDF2_SHA256
PBKDF2_SHA512
SALTEDSHA512
SHA256 - MaxAuth salted SHA-256
SHA512 - MaxAuth salted SHA-512

Migration-only hashes accepted from the database:

SALTEDSHA256
DOUBLE_SHA512
AUTHME_SHA256
AUTHME_SHA
PBKDF2
CSHA256 - classic unsalted SHA-256
CSHA512 - classic unsalted SHA-512
MD5VB
IPB3
IPB4
JOOMLA
MYBB
PHPBB
PHPFUSION
SMF
WBB3
WBB4
XFBCRYPT
ROYALAUTH
MD5
SHA1
DOUBLE_MD5
DOUBLE_SHA1
BCRYPT2Y

When rehashPasswordWhenUsingDifferentAlgorithm is enabled, legacy passwords are automatically upgraded to the configured hashing algorithm after a successful login.

Note: SHA256 and SHA512 in MaxAuth are salted hashes. Classic unsalted SHA-256 and SHA-512 are supported for migration as CSHA256 and CSHA512.

⭐ Based on JPremium
MaxAuth is heavily inspired by the original JPremium authentication flow.

It keeps many familiar ideas:

Premium automatic authentication
Cracked /register and /login flow
Limbo authorization servers
Premium username protection
Sessions
Two-factor authentication
Email recovery
Captcha during registration
UUID mode handling

But MaxAuth adds a cleaner configuration structure, modern message system, backend protections, diagnostics, Discord audit logging, automatic config/message updates, and a safe migration tool.

Migration from JPremium
MaxAuth includes a migration helper for servers moving from outdated JPremium.

If MaxAuth detects the old JPremium SQL table user_profiles, it creates a migration report file:

Code (Text):

plugins/maxauth/migrate_DB.yml

The file shows:

How many old JPremium accounts were found
How many accounts can be migrated
How many accounts would be skipped because of collisions
Whether required columns are present

Migration is manual and safe.
You review the report, enable migration, restart the proxy, and MaxAuth transfers the old accounts into the new MaxAuth table.

Existing MaxAuth accounts are preferred if a collision exists.

Plugin Structure
MaxAuth has two parts in one plugin jar:

Proxy plugin - installed on Velocity or BungeeCord
Backend plugin - installed on Paper/Spigot servers behind the proxy

The proxy is the main authority.
The backend protects players during authorization and verifies that auth state updates really came from the trusted proxy.

⚙️ Supported Platforms
Proxy:

Velocity
BungeeCord

Backend:

Paper
Spigot

Java:

Java 17 or newer

Databases:

SQLite
MySQL
MariaDB
PostgreSQL

Authentication Flow

Player connects to the proxy
MaxAuth checks account type and stored profile
Premium users may be authenticated automatically
Cracked users are sent to limbo/auth server
Backend restrictions are applied while unauthenticated
Player uses /register or /login
MaxAuth updates the auth state
Player is redirected to the configured main server

Messages and Styling
MaxAuth has a highly configurable message system.

You can configure:

Chat messages
Titles
Subtitles
Bossbars
Actionbars
Kick screens
Admin command messages
Login/register instructions

Messages support classic Minecraft color codes and hex colors.

Example:

Code (Text):

{prefix} &8» &aSuccessfully logged in!

Gradient format is supported too:

Code (Text):

{#55ff55>}MaxAuth{<#55ffff}

Admin Tools
MaxAuth includes useful admin and development commands.

/maxauth - Shows plugin info
/maxauth help - Shows command help
/maxauth reload - Reloads configuration and messages
/maxauth configcheck - Checks current configuration
/maxauth checkflow - Shows current authentication flow
/maxauth testmail <email> - Sends a diagnostic recovery email test
/maxauth spawnset - Sets backend auth spawn location
/maxauth viewuserprofile - Shows user profile information
/maxauth unregister - Admin unregister command
/maxauth login - Admin login command

/maxauth testmail <email> uses the executor nickname and recovery code 123456, then reports SMTP host, port, encryption mode, send time, and success or failure status in chat.

Player Commands

/register <password> - Register cracked account
/login <password> - Log into cracked account
/changepassword - Change password
/unregister - Remove own registration
/premium - Switch account to premium mode
/cracked - Switch account to cracked mode
/startsession - Start manual session
/destroysession - Destroy session
/requestsecondfactor - Start 2FA setup
/activatesecondfactor - Activate 2FA
/deactivatesecondfactor - Disable 2FA
/requestpasswordrecovery - Request password recovery email
/confirmpasswordrecovery - Confirm password recovery

Password recovery player commands are available only during the login phase, before the player logs in. If confirmPassword is enabled, /confirmpasswordrecovery requires the repeated password:

Code (Text):

/confirmpasswordrecovery <recovery-code> <password> <password>

️ Backend Protection
The backend plugin can protect unauthenticated players by blocking:

Movement
Chat
Commands
Interactions
Inventory usage
Damage-related actions

It can also:

Teleport players to auth spawn
Lock player time during authorization
Lock player weather during authorization
Apply blindness effect
Show captcha map
Verify trusted proxy state updates

Discord Audit Webhooks
MaxAuth can send audit logs to Discord webhooks.

You can configure multiple webhook targets and decide what each webhook should receive.

Useful for:

Admin commands
Login/register events
Failed login attempts
Kicks
Password recovery events
2FA events
Profile changes
Security-related actions

Proxy Configuration Example

Code (YAML):

# ︽︽ If any new settings are added in future updates, they will appear at the top of the configuration file automatically. ︽︽
#+------------------------------------------------------------------------------------------------------+
#| |
#| M A X A U T H |
#| P R O X Y C O N F I G |
#| |
#+------------------------------------------------------------------------------------------------------+

#+------------------------------------------------------------------------------------------------------+
#| STARTUP AND DEBUG |
#+------------------------------------------------------------------------------------------------------+

# Log premium/cracked detection, resolver decisions, redirect decisions, and other auth flow details.
# Keep this disabled on production unless you are diagnosing a problem.
debug : false

#+------------------------------------------------------------------------------------------------------+
#| STORAGE |
#+------------------------------------------------------------------------------------------------------+

# Database type used by MaxAuth.
# Supported values: SQLITE, MYSQL, MARIADB, POSTGRESQL.
# SQLITE is fine for testing and small servers. MYSQL/MARIADB/POSTGRESQL are recommended for networks.
storageType : SQLITE

# Database table name used for storing MaxAuth user profiles.
# Default: maxauth_users
# Use only letters, numbers, and underscores.
storageTableName : maxauth_users

# Database connection settings.
# SQLITE ignores host, port, database, user, and password.
storageHost : ''
storagePort : 3306
storageDatabase : ''
storageUser : ''
storagePassword : ''

# Extra JDBC properties appended to the database connection.
# Example: ['useSSL=false', 'characterEncoding=utf8']
storageProperties : [ ]

# Storage connection pool settings.
# Lower these values on shared hosting or small VPS databases with low connection limits.
connectionPoolSize : 10
connectionPoolIdle : 10
connectionPoolTimeout : 5000
connectionPoolLifetime : 1800000
connectionKeepAliveTime : 0

#+------------------------------------------------------------------------------------------------------+
#| PROXY AND BACKEND COMMUNICATION |
#+------------------------------------------------------------------------------------------------------+

# Access token used to verify MaxAuth plugin messages between the proxy and backend servers.
# Use a long random value and set the exact same value in every backend configuration.
# Keep this private. Anyone with this token could try to spoof backend state messages.
# You can generate a secure random token using online tools (e.g., https://www.browserling.com/tools/random-string).
accessToken : ' { {ACCESS_TOKEN } }'

#+------------------------------------------------------------------------------------------------------+
#| SERVER ROUTING |
#+------------------------------------------------------------------------------------------------------+

# Limbo server names.
# Unauthorized cracked players are sent here to login or register.
# You can add multiple servers as fallbacks, for example: [limbo1, limbo2]
# If empty, MaxAuth will not redirect unauthorized players.
limboServerNames : [limbo ]

# Main server names.
# Authorized players are sent here after successful login/register when redirects are enabled.
# You can add multiple servers as fallbacks, for example: [lobby, survival]
# If empty, MaxAuth will not redirect authorized players.
mainServerNames : [main ]

# Redirect cracked players to mainServerNames after successful /register.
# If enabled, register success chat/title messages are shown after the player reaches the main server.
afterRegisterRedirect : true

# Redirect cracked players to mainServerNames after successful /login.
# If enabled, login success chat/title messages are shown after the player reaches the main server.
afterLoginRedirect : true

# Redirect players to the last non-limbo server they were on before quitting.
# If disabled, players use the normal mainServerNames selection.
lastServerRedirection : false

# BungeeCord only: redirect players to a fallback target after they are kicked from a backend server.
disconnectRedirection : true

# Delay titles and first join messages after the player reaches a backend server, in milliseconds.
# Increase this if your server needs more time before it can reliably show titles or chat messages.
delayTitlesAfterJoinTime : 1000

#+------------------------------------------------------------------------------------------------------+
#| ACCOUNT DETECTION AND UUIDS |
#+------------------------------------------------------------------------------------------------------+

# UUID mode assigned to players.
# Supported values: REAL, OFFLINE, FIXED.
# REAL = recommended default; premium players use Mojang UUIDs and cracked players use MaxAuth's normal auth flow.
# OFFLINE = offline UUID fallback based on nickname; useful mainly for specific migrations or legacy offline setups.
# FIXED = stable MaxAuth offline fallback UUID mode; useful mainly for specific migrations or special setups.
# Do not change this after players are registered unless you are intentionally migrating data.
uniqueIdsType : REAL

# Support Floodgate/Geyser Bedrock players.
# enabled:
# Enables basic Floodgate compatibility and Bedrock UUID handling.
# useApiVerification:
# Uses Floodgate API when available for more accurate detection,
# especially linked Bedrock-Java accounts. Falls back to basic detection
# if Floodgate API is not installed.
floodgateSupport:
enabled : false
useApiVerification : true

# Automatically register new premium players.
# If enabled, premium players can join without manually creating a password account.
registerPremiumUsers : true

# Use the 1.19.1+ handshake UUID hint to distinguish premium players earlier in the login flow.
# Older clients and unsupported setups fall back to the normal resolver flow.
detectPremiumUniqueIdsInHandshake : true

# If a player with a premium nickname disconnects during premium verification,
# treat the next attempt as cracked.
secondLoginCracked : false

# Kick a new player on first join and ask them to reconnect.
# This is applied only when the player is not in the database yet.
firstTimeJoinKick : false

# New player types affected by firstTimeJoinKick.
# allcracked = all non-premium joins
# cracked = only clearly cracked players
# premium = confirmed premium players
# all = every new player
firstTimeJoinKickUser : allcracked

# Force new cracked players to register on your website instead of in-game.
registerOnWebsite : false # !! deprecated and not used now, as the old website registration flow is removed. !!

#+------------------------------------------------------------------------------------------------------+
#| AUTHENTICATION |
#+------------------------------------------------------------------------------------------------------+

# Require cracked players to confirm passwords in register, change password, create password,
# and password recovery confirm commands.
# When changing this, update related usage messages in messages.yml if needed.
confirmPassword : true

# Require /confirm before risky commands such as /unregister, /premium, and /cracked.
riskyCommandsConfirmation : true

# Maximum time cracked players have to login or register, in seconds.
# When the time expires, they are disconnected.
maximumAuthorisationTime : 90

# Maximum failed login attempts before disconnecting a cracked player.
# Use 0 to disable this limit.
maximumLoginTriesBeforeDisconnection : 5

# IP ban duration after reaching the failed login limit, in minutes.
addressBanDuration : 10

# Maximum cracked profiles that can be registered from one IP address.
# Use 0 to disable the limit.
maximumUserProfilesPerAddress : 0

# Days after which absent cracked players are automatically unregistered.
# Use 0 to disable automatic cleanup.
automaticUnregisterTime : 0

#+------------------------------------------------------------------------------------------------------+
#| PASSWORDS |
#+------------------------------------------------------------------------------------------------------+

# Password hashing algorithm for new cracked-player passwords.
# Recommended values: ARGON2ID, BCRYPT.
# Other configurable values: PBKDF2_SHA256, PBKDF2_SHA512, SALTEDSHA512, SHA256, SHA512.
# SHA256 and SHA512 are MaxAuth salted hashes. Classic unsalted SHA hashes are migration-only as CSHA256 and CSHA512.
passwordHashingAlgorithm : ARGON2ID

# Re-hash a password on login when it uses a different algorithm than configured above.
# Useful when migrating from legacy algorithms to ARGON2ID or BCRYPT.
# Migration-only hashes accepted from the database include:
# SALTEDSHA256, DOUBLE_SHA512, AUTHME_SHA256, AUTHME_SHA, PBKDF2, CSHA256, CSHA512,
# MD5VB, IPB3, IPB4, JOOMLA, MYBB, PHPBB, PHPFUSION, SMF, WBB3, WBB4, XFBCRYPT,
# ROYALAUTH, MD5, SHA1, DOUBLE_MD5, DOUBLE_SHA1, BCRYPT2Y.
rehashPasswordWhenUsingDifferentAlgorithm : true

# Regular expression that cracked-player passwords must match.
# Default: 6-25 non-whitespace characters.
safePasswordPattern : ' [\S ] {6,25 }'

#+------------------------------------------------------------------------------------------------------+
#| CAPTCHA |
#+------------------------------------------------------------------------------------------------------+

# Require new cracked players to enter the captcha code shown on the backend captcha map.
# If false, captcha is fully disabled and the backend will not give the captcha map.
# The map slot itself is configured only in backend configuration.yml as captchaMapSlot.
verifyCaptchaCode : false

#+------------------------------------------------------------------------------------------------------+
#| SESSIONS |
#+------------------------------------------------------------------------------------------------------+

# Manual session duration started by /startsession, in minutes.
manuallySessionTime : 720

# Automatic session duration after successful login/register, in minutes.
# Use 0 to disable automatic sessions.
automaticSessionTime : 10

#+------------------------------------------------------------------------------------------------------+
#| PASSWORD RECOVERY AND 2FA |
#+------------------------------------------------------------------------------------------------------+

# Server name shown in TOTP authenticator apps and recovery-related messages.
serverName : Your server name

# Enable email-based features.
# If false, email reminders are not sent and these commands are disabled:
# /changeemailaddress, /requestpasswordrecovery, /confirmpasswordrecovery,
# and matching /maxauth admin subcommands.
emailEnabled : false

# Enable two-factor authentication features.
# If false, 2FA reminders are not sent, existing 2FA tokens are ignored during login,
# and these commands are disabled:
# /requestsecondfactor, /activatesecondfactor, /deactivatesecondfactor,
# and matching /maxauth admin subcommands.
secondFactorEnabled : false

# Delay between password recovery requests, in minutes.
recoveringPasswordDelay : 60

# Email subject used for password recovery.
passwordRecoverySubject : The password recovery

# Mail server used by password recovery.
# If you do not use recovery, leave these empty.
mailHost : ''
mailPort : 25
mailUser : ''
mailPassword : ''
mailName : Your server name
# Mail encryption mode.
# Supported values: NONE, STARTTLS, SSL.
# Use STARTTLS for ports such as 587 and SSL for ports such as 465.
mailEncryption : STARTTLS
# Deprecated compatibility fallback for old configs.
# If mailEncryption is missing, true maps to STARTTLS and false maps to NONE.
mailUseTLS : true

# mailEncryption values:
# NONE = plain SMTP
# STARTTLS = upgraded TLS connection, usually port 587
# SSL = implicit TLS connection, usually port 465

#+------------------------------------------------------------------------------------------------------+
#| USERNAME AND STAFF PROTECTION |
#+------------------------------------------------------------------------------------------------------+

# Regular expression for allowed usernames.
# Do not add the Floodgate prefix here; MaxAuth handles Floodgate separately when enabled.
allowedUsernamePattern : ' [a-zA-Z0-9_ ] {2,16 }'

# Account UUIDs that staff/admin commands cannot manage.
# Use full UUID format with dashes.
protectedAccounts : [ ]

#+------------------------------------------------------------------------------------------------------+
#| COMMANDS |
#+------------------------------------------------------------------------------------------------------+

# Commands that not-logged cracked players can execute.
# Include login aliases here too, otherwise aliases may be blocked before authorization.
logoutUserCommands : [login, register, requestpasswordrecovery, confirmpasswordrecovery, l ]

# /login command aliases.
# Example: [l, log]
loginCommandAliases : [l ]

#+------------------------------------------------------------------------------------------------------+
#| DISCORD AUDIT WEBHOOKS |
#+------------------------------------------------------------------------------------------------------+

# Discord audit webhooks.
# You can define multiple webhooks and route different event categories to different Discord channels.
# Leave enabled false or url empty to disable a webhook entry.
# Event switches:
# adminDiagnostics = /maxauth configcheck and /maxauth checkflow
# adminProfileViews = profile lookup/view commands
# adminProfileMutations = register, unregister, password, premium/cracked, purge, merge, email changes
# adminAuthActions = login/session admin actions
# adminRecoveryActions = password recovery admin actions
# adminSecondFactorActions = 2FA admin actions
# adminSpawnSet = /maxauth spawnset
# adminReload = /maxauth reload
# allPlayerCommands = every player command attempt, including commands from other plugins
# blockedCommands = commands blocked before authorization
# commandLogin = /login and aliases from MaxAuth
# commandRegister = /register
# commandConfirm = /confirm
# commandStartSession = /startsession
# commandDestroySession = /destroysession
# commandCreatePassword = /createpassword
# commandChangePassword = /changepassword
# commandUnregister = /unregister
# commandPremium = /premium
# commandCracked = /cracked
# commandChangeEmailAddress = /changeemailaddress
# commandRequestPasswordRecovery = /requestpasswordrecovery
# commandConfirmPasswordRecovery = /confirmpasswordrecovery
# commandRequestSecondFactor = /requestsecondfactor
# commandActivateSecondFactor = /activatesecondfactor
# commandDeactivateSecondFactor = /deactivatesecondfactor
# commandMaxAuth = /maxauth, /mauth, /reloadmaxauth
# loginResults = successful and failed /login results
# registerResults = successful and failed /register results
# sessionResults = session-related command results
# accountResults = premium/cracked/unregister account command results
# passwordResults = password command results
# recoveryResults = password recovery command results
# secondFactorResults = 2FA command results
# playerKicks = MaxAuth kicks/disconnects
# joinFlow = join/session flow diagnostics
# successfulActions = send successful actions
# failedActions = send failed actions and invalid usage/profile-not-found attempts
sendDiscordWebhooks:
- name : admin-audit
enabled : false
url : ''
adminDiagnostics : true
adminProfileViews : true
adminProfileMutations : true
adminAuthActions : true
adminRecoveryActions : true
adminSecondFactorActions : true
adminSpawnSet : true
adminReload : true
allPlayerCommands : false
blockedCommands : true
commandLogin : true
commandRegister : true
commandConfirm : true
commandStartSession : true
commandDestroySession : true
commandCreatePassword : true
commandChangePassword : true
commandUnregister : true
commandPremium : true
commandCracked : true
commandChangeEmailAddress : true
commandRequestPasswordRecovery : true
commandConfirmPasswordRecovery : true
commandRequestSecondFactor : true
commandActivateSecondFactor : true
commandDeactivateSecondFactor : true
commandMaxAuth : true
loginResults : true
registerResults : true
sessionResults : true
accountResults : true
passwordResults : true
recoveryResults : true
secondFactorResults : true
playerKicks : true
joinFlow : false
successfulActions : true
failedActions : true

Backend Configuration Example

Code (YAML):

Screenshots

Login title / chat message
[IMG]

Register screen
[IMG]

Bossbar timer
[IMG]

Captcha map
[IMG]

Discord audit logging
[IMG]

Config check / checkflow
[IMG]

Documentation
Full documentation is available on the wiki:

Why use MaxAuth?
✅ Modern successor to JPremium
✅ Premium and cracked authentication in one system
✅ Proxy-first UUID and auth control
✅ Protects backend servers during authorization
✅ Safe migration from JPremium
✅ Fully configurable messages
✅ Hex colors and gradients
✅ Captcha, sessions, 2FA and email recovery
✅ Discord audit logging
✅ SQLite/MySQL/MariaDB/PostgreSQL support
✅ Built for real Minecraft networks

Known Issues / Roadmap
This section lists features that are planned, currently being improved, or known to still need additional testing before they are considered fully finished.

Discord recovery - planned. A recovery flow through Discord is planned for a future update.
Debug setting - the debug configuration option may not work correctly in all cases yet.
Bug reports and suggestions - if you find a bug or have an idea for a new feature, please report it through the support channel or discussion page.

Minecraft servers using this plugin

play.aestros.cz
[IMG]