Welcome to the Developer Update for August 28.

v1_DevUpdate_28Aug1920×1080 179 KB

Today’s featured world is VRC Volleyball by mamemoyasys.

Announcements

Bigscreen Beyond 2e: VRChat Edition + 10 Years of VRC+ Giveaway

BSB2e_Giveaway1920×1920 166 KB

You read that mouthful right! We’re giving away a Bigscreen Beyond 2e: VRChat edition and 10 Years of VRC+ to one lucky X/Twitter user!

Please read the full rules and eligibility requirements here.

You can enter the giveaway by RT’ing the original post here.

Unity Cloth Limits

Did you know that VRChat supports Unity Cloth?

If you did, this part is for you.

You might be aware that Cloth components with many affected vertices come with a hefty performance cost. This occurs on load, during avatar scaling, and even just at runtime. Some of this cost scales quadratically!

To limit this performance impact, we have begun adding hard limits to how many vertices a cloth component can affect before being removed by our server-processing step.

The limit, for now, is focused on crasher prevention – that is, you should not see this affect any meaningful amount of content, as anything processed this way would have previously crashed you.

Note that this will not fail Server Processing – it will just remove the Cloth component in that case.

Looking at our analytics, of the few avatars that use Cloth, their median affected vertex count is about 1700. For reference, the Very Poor limit is 200. And while PhysBones are a staple of VRChat avatar creation, less than 3% of avatars use Unity Cloth at all.

Realistically, a lower hard limit could really help avoid avatars with very bad performance, and so we came up with the idea of limiting it further to a maximum of 2000 or so.

We know, however, that this would break some amount of content, without giving a straightforward replacement in all cases.

In many, but not all cases, PhysBones can be used to replace functionality, but there is no cloth-physics replacement available in VRChat at the moment. We also lack the resources to add this any time soon, before you ask. And yes, this includes supporting third-party assets like Magica Cloth.

So to better understand the edge cases here, we figured we’d just ask directly. Are there any use-cases for Unity Cloth that require more than 2000 (or less/more) affected vertices? Would you be in favor of a reduced hard limit to avoid not just crashers, but also reduce the amount of avatars causing hard stutters on loading and scaling further?

Let us know!

Steam Audio Beta Updates

Scheduled reminder that we are still testing Steam Audio via the steam-audio-beta Steam branch! Anyone can opt-in, and you can check our Discord for more info and patch notes.

Last Friday, we release a major update featuring lots of bug fixes and a new HRTF. An HRTF, or Head-Related Transfer Function, is a function that models how a sound changes based on factors like its position relative to the listener and the listener’s head/torso/ear shape.

This is how, in many games like VRChat, you can determine where a sound is coming from more accurately than with simple stereo audio – you can (usually) tell if it’s coming from above you or below you, or in front of or behind you, and how far away it is.

There is no proper ‘universal’ HRTF that works perfectly for everyone, however, so there’s some amount of subjectivity involved, and we’re trying to land in a place that’s as comfortable as possible for as many people as possible.

Any feedback we can get about how audio sounds for you right now is helpful, as it may give us the necessary info to find the average we need to make it sound good for most people.

Before giving feedback, we recommend using the new build for at least a few hours. It can take your brain a bit of time to adjust to a new HRTF model!

You can leave your input on our dedicated Steam Audio Canny board! This board is not limited to just bug reports.

New Avatar Marketplace Row!

The Avatar Marketplace has a New Row… the New Row!

This has been available to all users for a couple of weeks, but we recently tweaked how it works to optimize it and make it a little snappier.

If you were looking for a way to see the latest content that’s available on Avatar Marketplace, come visit the Avatars Explore tab today and check out the “New” row!

…and hey, if you’re an avatar creator, there’s never been a better time to hop in!

AutoHold for VR Update

As we first shared in the July Creators Roadmap update, we’re updating Pickup components to support Auto Hold for all input types! This allows world creators to make pickups that stay in your hand without needing to hold the “Grab” button. It works on every platform - PC, VR, and mobile! This was previously not possible with most VR game controllers or Hand Tracking.

It’s very simple: just grab once to hold, then grab again to release. Check out the demo below to see it in action.

It won’t change how any existing pickups work, but you’ll start to see the new ‘stickier’ pickups after we release the SDK and creators update their worlds.

2FA Verification Failing Randomly? We Fixed It!

Some of you ran into a frustrating loop: you’d enter a valid 2FA code, only to be told it was invalid, again and again. This issue affected logins across the VRChat app, the VRChat website, and any third-party apps using our API.

It crept in gradually over the last ~3 weeks. We finally figured out what was happening and resolved it this Monday after which 2FA failures dropped immediately to normal levels.

In almost all cases, you don’t need to do anything, but if you still see this issue happening, try logging out and back in again.

What Happened?

A change rolling out in our upstream provider’s caching system interacted badly with our long-standing “cache-and-revalidate-everything-by-auth-cookie” caching rule.

In some cases, clients ended up not sending the fresh auth cookie during 2FA verification, or they sent an outdated one, causing perfectly valid 2FA codes to be rejected.

We disabled the specific cache rule on Monday, immediately clearing up 2FA verification failures. Around 8% of 2FA verification API requests representing around 5% of users were affected. Some users were able to pass 2FA verification after a few hours while others were temporarily locked out of their account until the fix was rolled out.

I want to go DEEPER

okay fine

So, our normal login flow looks something like this:

1. Client submits username/password to /api/1/auth/user.
2. Server responds with a Set-Cookie: auth=authcookie_b7f9961e-e6b0-46cf-9869-fce1d22b93c4; ... header and (if needed) indicates the next step is to 2FA-verify.
3. User retrieves a TOTP code from an authenticator app and types it into the client which submits the code to /api/1/auth/twofactorauth/totp/verify, including the current auth cookie.

We started seeing intermittent cases where step 3 arrived without the expected auth cookie, or arrived with an older, outdated/invalidated auth cookie despite us having just sent a new one in step 2.

From the server’s perspective, this looks like you’re not authenticated at all, returning an error.

What’s Caching Have to Do With It?

• We proxy API traffic through Cloudflare to our server provider.
• To reduce our server provider’s egress fees, we’ve long used a Cloudflare rule that force-caches responses but revalidates on every request, with the cache key varying by the auth cookie (and a couple other headers and cookie values).
• This ensures users never see someone else’s data and that cached responses always get revalidated before being sent back to the user, avoiding sending stale response data while still cutting bandwidth when response bodies haven’t changed across multiple requests.

Recently, as Cloudflare started rolling out a change to their caching system, this rule began to misbehave in edge cases around that auth cookie transmission.

The practical symptoms are that after we sent that new auth cookie in the Set-Header to the client, the next request from the client did not contain that same auth cookie anymore, instead either providing a stale one or none at all, leading to the 2FA rejection.

How We Fixed It

We disabled the forced-response caching rule across our API endpoints and only left some very specific rules active.

This didn’t increase our API server load and users shouldn’t see any difference in behavior (except for 2FA verifications now working again).

A Note on Tests

We’ve noted this in past Dev Updates, but wanted to remind folks that we’ve been testing things.

What things? It depends!

Sometimes we’ll be very transparent about what’s being tested, although not always, depending on if we feel that extra knowledge might impact the results of the test.

When we’re testing something, you might notice that your experience(s) are a little different from your friends. While we’ll try to let the community know if we’re testing something really noticeable, don’t panic if something appears different!

A Note on Security

A third-party tool often used for asset ripping (and sometimes even by well-meaning users just trying to back up their avatars) recently suffered a breach, exposing usernames and passwords.

When working on projects, be sure to keep proper backups before you upload. Version control, cloud storage, or even a simple archive can save you from major headaches!

And most importantly, never put your account credentials into un-trusted tools!

Conclusion

That’s it for this Dev Update! We’ll be back September 11!

Can’t wait for autohold!

Any chance for the BSB2e giveaway to extend to Bluesky?

Unfortunately the giveaway tool we’re using for social media didn’t have a Bluesky option…

It’s good to block poorly made avatars with cloth, but that tool is used sometimes for specific use cases like VR filmaking, where optimization isn’t a priority over realism, is it possible to maintain the ability to upload cloth conponents (that go beyond the 2k poly cloth limit) for local test avatars?

How does autohold differ from binding the Drop action with steamVR input. (If at all?)
It’s great because it can be set up per object and it’s usable outside steamVR but I’m still curious.

When it comes to cloth physics, I would like to see the performance characteristics of them re-analyzed. The current cloth physics limits were put in place back when VRChat was based on Unity 2017, which had major bugs impacting the performance of cloth physics items. This led to incredibly low vertex count limits for cloth physics items, which is why so few avatars use the feature. The hard-limit for cloth physics vertices should be determined based both this performance re-analysis, as well as the current usage of cloth physics on avatars

This is already discussed in a few canny posts, but I just want to try and bring more visibility to the issue, since it’s now being discussed

Just as a bit of anecdotal information, I have an avatar that is currently rated as “very poor performance” solely due to the total cloth vertex count. Out of curiosity, I went to play mode and enabled the profiler, and spawned in 128 copies of the avatar. Cloth calculations made up less than 2 ms of my CPU time, while physbones (rated medium impact on this avatar) were using 14-16 ms of CPU time. As for load hitching, there was no perceivable difference in the time it took to to make 64 duplicates of the avatar with the cloth component deleted. If anything was going to get this avatar marked as very poor performance, it would be the physbones or skinned mesh renderers with the most impact on that rating, yet its the 2 ms of cloth calculations that result in that rating

Is there a way to give more attention to this canny to avoid similar breach . I think it would help everyone.

For the time being maybe it’d be a good idea to possibly limit the amount of verts in the cloth system. At the same time, just like the VRC Constraints and their purpose it might be a good idea if we could possibly get a new cloth system that wouldn’t be as heavy as the built in system with potential whitelisted support for Quest/Mobile. Someone did make a feedback post on this here and it’s relatively recent.

oh cool y’all are now adding a feature we’ve had on Vive wands for years. It’d be nice however if this was also something that’d be part of the steamvr bindings/grab behavior in the action menu. But it doesn’t hurt to also have it available in the SDK too.

that honestly sucks to hear and serves as a good psa. But it’d be good if we could get a way to obtain and download our assets so we could either retrieve older models for the purposes of updating them, or recover them if we’ve lost our old projects.

The update is good, though if I would wanna change anything it’d be the log curve on how VRC does its sound as it can be a bit too steep at times. This is in regards to both live and the beta but it could just be my adhd here.

I’m excited to see the direction that the avatar marketplace will be going. I believe it has a lot of potential in the near future! I hope that one day, there will be an option to insert custom texture files into purchased avatars. I bet it would save a lot of people from major migraines.

Is the cloth physics limitations only for Avatars, or would world use be affected as well?

Could we get more information as to why supporting Magica Cloth isn’t feasible right now? Aside from lack of money, prioritization of other projects, etc? Is there something else?

On SteamVR & other OpenVR runtimes, you can bind “Drop” on any controller and it makes almost everything auto-hold right now.

I do also hope they make this a toggle in the controls settings for other platforms besides SteamVR.

After autohold, will there be an autohat?

I never like when new restrictions comes along and break avatar. Is there any way to make it a graphics option so people that wants to see it can and others can’t? It could be a off by default option but letting people enable it if they have hardware that can handle it? Also someone mentioned using it for filmmaking in vrchat which is another good point to keep it in.

Making it an adjustable option with a reasonable default value may be better than enforcing a strict hard limit.

This could discourage overly heavy setups and block malicious use, while still leaving room for unexpected creativity.

We are discussing trade offs, not judging what is good or bad.

I use an avatar in the less than 3% that rely on Unity Cloth.

I value the balance between quality and performance, and I believe it is the responsibility of creators to configure Cloth carefully to maintain acceptable performance.

I hope people will realize that well configured Cloth can be both performant and of superior quality. I also hope more creators will learn to use Cloth responsibly.

Cloth and PhysBone are not the same thing, they serve different purposes for different situations. PhysBone is extremely performant but limited. Cloth offers superior quality, but it is far less performant and much harder to configure correctly for both quality and performance.

The only reason I use Unity Cloth is because I need something PhysBone cannot provide: vertices affecting each other in true physics simulation. Gravity, momentum, wind, twisting, and deformation, and most importantly, the ability for vertices to hold each other in position rather than just mimicking a cloth. Think of making a skirt and you will see.

In my case, I use Unity Cloth to drive the lower part of a coat. I cut the mesh below the chest as a standalone piece, applied Cloth physics, and work with a custom wind controller.

The same level of dynamics and quality is impossible to achieve with PhysBone alone. Cloth vertices influence each other, so collisions keep them at set distances. PhysBone, by contrast, works in independent chains, so parts like legs clip through it very easily.

Unity Cloth is indeed difficult to configure and performance heavy. However, it achieves results that PhysBone cannot, as shown in the example above. When configured correctly, a skirt will look far superior with Cloth, significantly outperforming PhysBone.

It is unavoidable that a Cloth-driven mesh will involve a certain number of vertices. If a cape has only four vertices, Cloth can do virtually nothing, and neither can PhysBone, because there is nothing substantial to collide with the avatar.

If the proposed limit is 2000 vertices per script, that seems reasonable and should cause little trouble. But if the limit is 2000 vertices total across all scripts, Unity Cloth becomes useless for avatars with multiple cloth objects, even if only one is active at a time.

The reason I argue against a strict hard limit is simple:

1. There is no replacement for Cloth in the near future. This means some projects will inevitably face difficulties, and certain ideas will never be realized.

2. Only a small number of avatars actually use Unity Cloth. Regardless of how responsibly their creators use it, the number is still small. Imposing a strict hard limit would be unnecessarily harsh.

Here is what I think:

1. Adding a hard limit to Cloth is reasonable. The fact that very few avatars use it does not mean it is completely harmless.
2. A hard limit of 2000 vertices per single Cloth script sounds reasonable, but it is still a painful restriction.
3. A hard limit of 2000 vertices across all scripts would make Cloth basically useless.
4. Most people have little idea how heavy or performant Unity Cloth actually is. Even many avatar creators are primarily players, not developers.
5. Making it an adjustable option with a reasonable default value may be better than enforcing a strict hard limit. This could discourage overly heavy setups and block malicious use, while still leaving room for unexpected creativity.

You kind of have a preexisting issue there where people WANT to use Magic Cloth but VRChat

In fact, people have been asking almosy half a decade ago for Magica cloth on the canny

There is certainly a need, a want, and a market for it

The thing is, cloth has been bugged to stick to different parts of the body.

I made a canny ab out this issue and it has been marked as tracked.

https://feedback.vrchat.com/open-beta/p/1514-cloth-is-cooked-but-resizing-the-avatar-fixes-it-more-info-inside

A use case I liked to use cloth for (before the bug might it too annoying to use at all) was skirts that looked like latex, because it just moves differently than physbones and I like it.

Why is the BigScreen contest only on Twitter and not your BSKY as well?

It’s really frustrating when big accounts like this don’t help allow people to move away from Twitter, as has become very important to do given the goals and views of who owns it. And a large part of your userbase no longer uses it, given the owner outright hates a good majority of the type of people who play this game.

The updated AutoHold option should have the same effect as binding the Drop action with SteamVR, and remain compatible with it. It has the advantage of working on non-SteamVR clients, and not requiring that the Drop button be mapped by a user in order to use it.

I’m curious - why do you think this should be an extra setting, rather than simply working the way that a world creator intends?