Nitro V3 Secure Runtime

Runtime configuration guide

This page gives you a cleaner, readable overview of runtime toggles, example files and the values that belong in config files rather than hardcoded inside src.

Overview

Dist Obfuscation

Chooses whether the client loads app.js/app.css or the obfuscated .dat versions.

Secure Assets

Controls whether renderer-config, ui-config and gamedata go through /nitro-sec/file.

Secure API

Enables or disables runtime encryption for /api/* requests.

Files to use

File Purpose Note
public/configuration/client-mode.example Template for runtime toggles Copy it into a real configuration/client-mode.json in deployment; that real file stays ignored by Git
public/configuration/renderer-config.example Clean renderer config template Does not touch your local configuration/renderer-config.json
public/configuration/ui-config.example UI config reference template Use it as the source of truth for UI URLs and widgets
Latest_Compiled_Version/config.ini.example Backend secure flags Defines the emulator-side runtime settings

client-mode.example

This is the main runtime switchboard. You can enable or disable behavior without editing client source code.

{
    "distObfuscationEnabled": true,
    "secureAssetsEnabled": true,
    "secureApiEnabled": true,
    "apiBaseUrl": "https://nitro.example.com:2096",
    "plainConfigBaseUrl": "https://hotel.example.com/configuration/",
    "plainGamedataBaseUrl": "https://hotel.example.com/client/nitro/gamedata/"
}

Fields

  • distObfuscationEnabled: use .dat or plain assets
  • secureAssetsEnabled: enables /nitro-sec/file
  • secureApiEnabled: encrypts /api/* requests
  • apiBaseUrl: emulator/API base URL

Recommendation

Always set apiBaseUrl explicitly so you do not rely on fallback logic.

renderer-config.example

Socket, API, asset and gamedata URLs should live here, not inside React components.

Main keys

  • socket.url
  • api.url
  • asset.url
  • image.library.url
  • images.url
  • gamedata.url

Translations

  • external.texts.translation.url
  • furnidata.translation.url
  • Uses %locale% and %timestamp%

ui-config.example

UI image and login view sources should come from config values here or from renderer config, never from hardcoded URLs in components.

Login view

  • loginview.images.background
  • loginview.images.drape
  • loginview.images.left
  • loginview.images.right
  • loginview.widgets for promotional blocks

Runtime code involved

src/bootstrap.ts

Reads client-mode, builds NitroConfig['config.urls'] and prepares client bootstrap.

src/secure-assets.ts

Handles ECDH, decrypt/encrypt, plain fallback and secure API runtime behavior.

scripts/write-asset-loader.mjs

Generates public/configuration/asset-loader.js and decides between plain assets and .dat.

scripts/minify-dist.mjs

Generates .dat files while keeping plain files available for runtime switching.

Emulator

nitro.secure.assets.enabled=true
nitro.secure.api.enabled=true
nitro.secure.config.root=C:/path/to/Nitro-V3/public
nitro.secure.gamedata.root=C:/path/to/gamedata
nitro.secure.master_key=change-me-to-a-long-random-secret
  • nitro.secure.assets.enabled: enables /nitro-sec/bootstrap and /nitro-sec/file
  • nitro.secure.api.enabled: enables secure handling for /api/*
  • nitro.secure.config.root: path to live config files
  • nitro.secure.gamedata.root: path to live gamedata
  • nitro.secure.master_key: persistent server-side secret

Quick scenarios

Everything enabled

Secure assets, secure API and dist obfuscation all enabled.

Only .dat

Uses obfuscated assets but leaves config/API in plain mode.

Everything plain

Complete fallback mode for local testing or debugging.

Final checklist

You created real files from client-mode.example, renderer-config.example and ui-config.example
Public URLs live in config files, not in React components
Both plain files and .dat files are deployed
Your server exposes a proper MIME type for .dat
You set nitro.secure.master_key on the emulator side