The World and Character Management System is a comprehensive solution built on Cloudflare Workers and R2 storage, designed to handle both virtual world publishing and AI character management. This system provides endpoints for managing worlds (3D environments), user authentication, and interactive AI characters.
Before you begin, ensure you have the following:
- A Cloudflare account with Workers and R2 enabled
- Node.js (version 12 or later) and npm installed
- Wrangler CLI installed and authenticated with your Cloudflare account
The wrangler.toml
file contains the configuration for your worker and R2 bucket. Key configurations include:
VISIT_COUNTS
: Tracks world visitsDOWNLOAD_RATELIMIT
: Manages rate limitingDOWNLOAD_QUEUE
: Handles download queues
WORLD_REGISTRY
: Class name (WorldRegistryDO
)USER_AUTH
: Class name (UserAuthDO
)CHARACTER_REGISTRY
: Class name (CharacterRegistryDO
)
CHARACTER_SALT
: Secret for character encryptionUSER_KEY_SALT
: Secret for user key generationAPI_SECRET
: Admin API secretCF_ACCOUNT_ID
: Cloudflare account IDCF_GATEWAY_ID
: Cloudflare gateway IDOPENAI_API_KEY
: OpenAI API key (for character AI)ANTHROPIC_API_KEY
: Anthropic API key (for character AI)
/
: Homepage with author listings and world directory/world-data
: Retrieve world metadata (cached)/author-data
: Retrieve author data (cached)/authors-list
: Get a list of all authors (cached)/directory/{author}/{slug}
: Get HTML page for a specific world (cached)/author/{author}
: Get HTML page for a specific author (cached)/version-check
: Compare new version against author/slug/metadata.json/download
: Download a world file/download-count
: Get download count for a world/search
: Search worlds with optional tag filtering/directory/search
: Get HTML search results page/visit-count
: Get visit count for a world
/upload-world
: Upload a world's HTML content and assets/world-metadata
: Update world metadata/update-active-users
: Update active users count for a world/world-upload-assets
: Upload world assets (previews, etc.)/update-author-info
: Update author information/backup-world
: Create backup of currently live files/delete-world
: Remove a specific world
/character-data
: Get character metadata and configuration/featured-characters
: Get list of featured characters/author-characters
: Get all characters for an author/characters/{author}/{name}
: Get character profile page
/create-character
: Create new character/update-character
: Update existing character/update-character-metadata
: Update character metadata only/update-character-images
: Update character profile/banner images/update-character-secrets
: Update character API keys and credentials/delete-character
: Remove character and associated data/api/character/session
: Initialize new character session/api/character/message
: Send message to character/api/character/memory
: Create memory for character/api/character/memories
: Get character memories/api/character/memories/by-rooms
: Get memories across multiple rooms
/register
: Get registration page HTML/create-user
: Register new user (requires invite code)/roll-api-key
: Get API key roll interface/roll-key-with-token
: Complete key roll with verification token/initiate-key-roll
: Start key recovery process/verify-key-roll
: Complete key recovery with GitHub verification
/rotate-key
: Standard API key rotation/delete-user
: Remove user and associated data (admin only)/admin-update-user
: Update user details (admin only)
Most POST endpoints require authentication via API key in the Authorization header:
curl -X POST https://your-worker.dev/endpoint \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json"
Admin-only endpoints require the main API secret:
curl -X POST https://your-worker.dev/admin-update-user \
-H "Authorization: Bearer YOUR_API_SECRET" \
-H "Content-Type: 'application/json"
The Plugin Publishing System includes a robust user management system with secure registration, API key management, and GitHub-based verification.
New users can register through the /register
endpoint which provides a web interface for:
- Creating a new author account
- Setting up GitHub integration
- Generating initial API credentials
- Requiring invite codes for controlled access
Registation workflow:
- User visits the registration page
- Provides username, email, GitHub username, and invite code
- System validates credentials and invite code
- Generates initial API key
- Downloads configuration file with credentials
Characters support rich configuration including:
- Basic info (name, bio, status)
- Model provider selection (OpenAI/Anthropic)
- Communication channels (Discord, Direct)
- Personality traits and topics
- Message examples
- Style settings
- Custom API keys per character
Characters maintain:
- Conversation history
- User-specific memories
- Room-based context
- Memory importance scoring
- Cross-room memory retrieval
- Secure session initialization
- Nonce-based message validation
- Room-based conversations
- Auto-cleanup of expired sessions
CREATE TABLE worlds (
id INTEGER PRIMARY KEY AUTOINCREMENT,
author TEXT NOT NULL,
slug TEXT NOT NULL,
name TEXT NOT NULL,
short_description TEXT,
version TEXT NOT NULL,
visit_count INTEGER DEFAULT 0,
active_users INTEGER DEFAULT 0,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE(author, slug)
);
CREATE TABLE characters (
id INTEGER PRIMARY KEY AUTOINCREMENT,
author TEXT NOT NULL,
name TEXT NOT NULL,
model_provider TEXT NOT NULL,
bio TEXT,
settings TEXT,
vrm_url TEXT,
profile_img TEXT,
banner_img TEXT,
status TEXT DEFAULT 'private',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE(author, name)
);
CREATE TABLE character_secrets (
id INTEGER PRIMARY KEY AUTOINCREMENT,
character_id INTEGER NOT NULL,
salt TEXT NOT NULL,
model_keys TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY(character_id) REFERENCES characters(id)
);
CREATE TABLE character_sessions (
id TEXT PRIMARY KEY,
character_id INTEGER,
room_id TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
last_active TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY(character_id) REFERENCES characters(id)
);
CREATE TABLE users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT NOT NULL UNIQUE,
email TEXT NOT NULL,
github_username TEXT,
key_id TEXT NOT NULL UNIQUE,
key_hash TEXT NOT NULL,
invite_code_used TEXT NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
last_key_rotation TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
The system provides several methods for managing API keys:
- Endpoint:
POST /rotate-key
- Requires current API key authentication
- Generates new credentials immediately
- Invalidates previous key
For users who need to recover access, the system provides a secure GitHub-based verification:
-
Initiate Recovery
- Endpoint:
POST /initiate-key-roll
- Required fields:
{ "username": "string", "email": "string" }
- Returns verification instructions and token
- Endpoint:
-
Create Verification Gist
- User creates a public GitHub gist
- Filename must match pattern:
plugin-publisher-verify-{username}.txt
- Content must include provided verification token
-
Complete Verification
- Endpoint:
POST /verify-key-roll
- Required fields:
{ "gistUrl": "string", "verificationToken": "string" }
- System verifies:
- Gist ownership matches registered GitHub username
- Verification token is valid and not expired
- File content matches expected format
- Returns new API key upon successful verification
- Endpoint:
The system implements caching for GET requests with:
- CDN edge caching (1-hour TTL)
- Version-based cache keys
- Automatic invalidation on content updates
- Auth-based cache bypassing
Cache is automatically invalidated when:
- A new world/character is published
- Author information is updated
- A GET request contains a valid API secret
- IP-based rate limiting using Cloudflare KV
- 5 downloads per hour per IP/world combination
- Message rate limiting for character interactions
- HMAC-based API key validation
- Nonce-based message authentication
- Salt-based secret encryption
- GitHub-based key recovery verification
- CSP headers for world rendering
- Invite code system for registration
All endpoints return standardized error responses:
{
"error": "Error description",
"details": "Detailed error message"
}
- Always verify API keys before sensitive operations
- Use appropriate content-type headers
- Implement proper error handling
- Clear cache after content updates
- Regular key rotation
- Monitor rate limits
- Backup important worlds before updates
- Wrangler not found: Ensure Wrangler is installed globally:
npm install -g wrangler
- Deployment fails: Verify you're logged in to your Cloudflare account:
npx wrangler login
- R2 bucket creation fails: Confirm R2 is enabled for your Cloudflare account
- API requests fail: Double-check you're using the correct API Secret in your requests
- The setup script assumes you have the necessary permissions to create resources and deploy workers in your Cloudflare account.
- The script does not provide options for cleaning up resources if the setup fails midway.
- Existing resources with the same names may be overwritten without warning.
- Caching is set to a fixed duration (1 hour). Adjust the
max-age
value in the code if you need different caching behavior.
For issues or assistance:
- Check the Troubleshooting section
- Review the Cloudflare Workers documentation
- Contact Cloudflare support for platform-specific issues