# Restrict Who Can Join Your Schedule 1 Server (/docs/schedule-1/server-password)



import { Callout } from 'fumadocs-ui/components/callout';
import { Step, Steps } from 'fumadocs-ui/components/steps';

Schedule I's DedicatedServerMod doesn't expose a single "server password" field like Minecraft or Valheim. Authentication is handled by Steam (`SteamGameServer` provider), and access control is done through the **permissions system** in `permissions.toml`.

There are three honest ways to control who joins:

1. **Allow / deny by Steam ID** in `permissions.toml` (most reliable, recommended)
2. **Ban specific Steam IDs** for anyone you don't want back
3. **Hide your server** by keeping the IP unpublished and only sharing it with your crew

<Callout type="info">
  If the current DedicatedServerMod build has gained a top-level `serverPassword` field since this doc was written, check [docs.s1servers.com](https://docs.s1servers.com/) for the canonical schema and use that. The model below is what the system genuinely supports today.
</Callout>

***

Option 1 — Allowlist via permissions.toml [#option-1--allowlist-via-permissionstoml]

The cleanest "only my friends" setup: assign known Steam IDs to a permissive group, deny everyone else by default.

<Steps>
  <Step>
    Stop the server from the panel **Dashboard**.
  </Step>

  <Step>
    Open **File Manager** → edit `permissions.toml`.
  </Step>

  <Step>
    Set up the allowlist:

    ```toml
    [group.default]
    priority = 0
    allow = []
    deny = ['*']                         # Deny everything for unknown users

    [group.crew]
    priority = 50
    inherits = ['default']
    allow = ['*']                        # Members of "crew" get full access

    [user.76561198000000000]
    groups = ['crew']

    [user.76561198111111111]
    groups = ['crew']

    [user.76561198222222222]
    groups = ['crew']
    ```

    Convert your friends' profile URLs to SteamID64s using [steamid.io](https://steamid.io/) and add a `[user.<steamid>]` block for each.
  </Step>

  <Step>
    Save and run `reloadpermissions` from the **Console** tab.
  </Step>
</Steps>

Anyone whose Steam ID isn't in `permissions.toml` falls into the `default` group, which has everything denied — they can't take any privileged action, including (depending on permission node coverage) connecting.

<Callout type="warn">
  The exact "deny connect" permission node varies between mod versions. If the wildcard `deny = ['*']` doesn't block the actual connection, check [docs.s1servers.com/configuration/permissions](https://docs.s1servers.com/) for the specific connection-related node and deny that one explicitly.
</Callout>

***

Option 2 — Ban specific users [#option-2--ban-specific-users]

If you only need to keep specific bad actors out, ban them by Steam ID:

```toml
[ban.76561198987654321]
subjectId = '76561198987654321'
reason = 'griefing'
```

Or use the console wrapper:

```
ban <player_name_or_id> [reason]
```

Bans reject the connection outright before group / permission checks run. See [Operators, Admins & TCP Console](/docs/schedule-1/operators-admins).

***

Option 3 — Don't publish the IP [#option-3--dont-publish-the-ip]

If you have a small private crew and don't want to manage allowlists:

* Don't post your server IP in any public Discord or Reddit thread
* Don't enable Steam server browser advertising if/when the mod adds that
* Run the server on a non-default `serverPort` so it isn't picked up by port scanners targeting `38465`

Security through obscurity is weak — but for a 4-player vanilla server that you only share with friends, it's pragmatic.

***

What about the TCP console password? [#what-about-the-tcp-console-password]

The `[tcpConsole]` block has its own auth model for *remote admin access*, separate from joining the game. The upstream docs warn: *"If exposing TCP console beyond localhost, require a password and treat it as a trusted admin surface, not a public service."*

The exact field name for the TCP console password depends on the current mod build. Check [docs.s1servers.com/host-console](https://docs.s1servers.com/) before exposing the TCP console publicly.

The XGamingServer panel keeps the TCP console bound to localhost by default so you don't need a password for it — admin via the **Console** tab in your panel is always available.

***

Changing access after a leak [#changing-access-after-a-leak]

If someone unwanted got in:

1. **Ban their Steam ID** in `permissions.toml` (see Option 2 above).
2. **Tighten your allowlist** if you weren't already using one — switch the `default` group to `deny = ['*']` and add explicit `[user.<steamid>]` entries.
3. **Optionally rotate `serverPort`** under **Network → Allocations** — open a ticket if you need a new allocation.

***

Related Guides [#related-guides]

* [Operators, Admins & TCP Console →](/docs/schedule-1/operators-admins)
* [Server Config Reference →](/docs/schedule-1/server-config)
* [Client Mod Verification →](/docs/schedule-1/client-mod-verification)
* [Rename Your Server →](/docs/schedule-1/rename-server)