What "public" actually means for a FiveM server
When you boot FXServer on your own machine, it works locally because every connection stays inside one computer. Making the server public means two separate things have to happen. First, traffic from the outside internet has to reach the process on the right port. Second, the server has to authenticate with Cfx.re and announce itself so it is listed and reachable. People skip the second half constantly, then wonder why a server that runs perfectly on their LAN is invisible to everyone else.
This guide covers the full path: the ports and protocols, the license key, the privacy and capacity cvars, and how players actually reach you through the server list or direct connect.
The ports and protocols FiveM uses
FiveM uses a single default port, 30120, but it uses it over both TCP and UDP. This is the detail that trips up most first-time hosts. The game client and server exchange game state over UDP for low latency, while TCP carries other connection traffic. If you forward only TCP, the server may look like it is responding to some checks while gameplay connections silently fail.
The port is controlled by the endpoint_add_tcp and endpoint_add_udp directives in your server.cfg. The default template ships with both bound to all interfaces on 30120:
endpoint_add_tcp "0.0.0.0:30120"
endpoint_add_udp "0.0.0.0:30120"
The 0.0.0.0 means the server listens on every network interface, not just localhost. Keep both lines. If you only want to change the port, change it in both lines and remember to forward the new port over both protocols.
Why both TCP and UDP matter
A common failure pattern: the host opens 30120 TCP on the router, the server appears to start cleanly, the owner can see a heartbeat, but no real player can join or the connection times out at "Connecting." The UDP path carries the actual session traffic. Without UDP, the handshake stalls. Always forward and allow both.
The license key: sv_licenseKey
Every public FiveM server needs a license key issued by Cfx.re. Without a valid sv_licenseKey, the server will refuse to start or will not register with the master list, and it will never appear publicly.
You generate the key for free at the Cfx.re Portal (portal.cfx.re), the current home of the old keymaster. When you create a key, it asks for the IP address the server will run on. You then place it in server.cfg:
sv_licenseKey changeme
Replace changeme with your actual key. Treat the key like a secret. Do not commit it to a public repository and do not paste it in screenshots. If a key leaks, revoke and regenerate it from the keymaster. A mismatched key (for example, a key generated for a different IP or marked for a specific host) is one of the most common reasons a server runs but is not listed.
sv_endpointprivacy and reporting your address
FiveM has a cvar called sv_endpointprivacy that controls whether your server reports its real public endpoint to the server list and to clients.
sv_endpointprivacy true
When sv_endpointprivacy is set to true, the server hides its endpoint from the public list browser, which can prevent normal players from joining through the list. For a server you want to be fully public and easy to join, set it to false so the endpoint is reported:
sv_endpointprivacy false
If your server appears in the list but players who click it cannot connect, check this cvar first. A true value combined with players relying on the list browser is a classic invisible-connection bug.
sv_maxclients and capacity
sv_maxclients sets how many players can be connected at once. It does not affect whether you are public, but it is part of every correct server.cfg and it caps your slots:
sv_maxclients 48
The allowed range depends on the platform tier, and OneSync raises the ceiling well beyond the old 32-slot limit. Set it to the realistic number of slots your machine and network can actually handle. Oversizing it does not make you more visible; it just lets more people try to connect to a box that may not keep up.
OneSync and the server list
OneSync is the Cfx.re networking layer that allows higher player counts and server-authoritative state. It is not enabled by default; the stock server.cfg template ships with the line commented out, so you have to turn it on yourself:
set onesync on
OneSync itself is not what makes you public, but it is tied to your license key and slot count, and you want it on for any server above the legacy 32-slot limit. OneSync is free up to 48 slots; going higher requires a paid Cfx.re subscription tier. If you set a high sv_maxclients without enabling OneSync, the server will not behave correctly.
How players reach you: server list vs direct connect
There are two ways players connect, and understanding both helps you diagnose visibility problems.
The server list
When your server has a valid license key and is reporting its endpoint, it registers with the Cfx.re master server and shows up in the in-game and web server list. Players search by name and click to join. This path depends on the license key, the reported endpoint (sv_endpointprivacy false), and reachability of your ports from the outside. If any of those is wrong, you either do not appear or appear but fail to connect.
Direct connect
Players can bypass the list entirely. In the FiveM client they open the direct connect field and type your public address and port, for example 203.0.113.10:30120. Direct connect is the fastest way to test reachability: if a friend on a different network can direct connect but the server is not in the list, your ports are open and the problem is registration (license key or privacy cvar). If direct connect also fails, your ports or firewall are the problem.
Use this as a diagnostic split. Direct connect failing points at network and firewall. List failing while direct connect works points at the key and reporting.
Firewall rules on the server machine
Forwarding the port on your router is only half the network job. The operating system on the server machine also has a firewall that must allow inbound traffic on 30120 for both TCP and UDP.
On Windows, add inbound rules for TCP 30120 and UDP 30120 through Windows Defender Firewall. On a Linux box, allow the port through whatever firewall you run, for example with ufw:
sudo ufw allow 30120/tcp
sudo ufw allow 30120/udp
If you host with a provider, also check their network-level firewall or security group, since cloud hosts often block inbound traffic by default until you open it explicitly.
Router port forwarding for home hosting
If you host from home, log into your router and create a port forward that sends external 30120 to the internal LAN IP of your server machine, for both TCP and UDP. Give the server machine a static or reserved LAN IP first, otherwise DHCP can reassign it and break the forward later.
A few realities of home hosting worth knowing up front. Many ISPs use CGNAT, which means you do not have a true public IP and port forwarding cannot work no matter what you configure. If your external IP in the router does not match the IP shown by a what-is-my-IP check, you are likely behind CGNAT and need a different approach or a hosted server. Residential upload bandwidth also caps how many players you can realistically serve.
Putting the server.cfg pieces together
A minimal public-ready block in server.cfg looks like this:
endpoint_add_tcp "0.0.0.0:30120"
endpoint_add_udp "0.0.0.0:30120"
sv_maxclients 48
set onesync on
sv_endpointprivacy false
sv_hostname "My FiveM Server"
sv_licenseKey changeme
Replace the hostname and license key with your own. With this in place, the ports forwarded over both protocols, and the OS firewall allowing 30120, the server registers and becomes joinable through the list and via direct connect.
Verifying it works
Do not assume; verify from outside your own network. Ask someone on a different connection (or use mobile data) to direct connect to your public IP and port. If they connect, try the server list. If both work, you are public. If only direct connect works, revisit the license key and sv_endpointprivacy. If neither works, revisit port forwarding, both protocols, and the OS and provider firewalls.