User Auth for Temporal Online Game


We have a Kind of online web escape room game for corporate teams. So a corporate book a game with us, send us the players list, and we create a custom games for their. Then players enter to a lobby page with all their names and click on their user and automaticity logs in.

Now I will explain how it works our backend for a game of 20 players (is not matter the number of players):

The backend creates 20 new users(these users can only play this game they don’t have any other permits), with the same password and custom name. Then we create the rest of the logic for the game.
These users are never deleted and remains in our db.

We plan to rework this part because maybe having this amount of unused user is not the best effective way to do this.

Our new plan is the following one for a game of 20 players. Create a new model with username, foreign key for the game and a secrete token for each player. Once the player clicks on their profile we will send the secrete token and will be stored in the local storage in the browser. Then I will protect all the views and request with this token auth. When the games finish, all the user will be deleted.(We only need to store the game information, like timing and other stuff, no user information)

These could be a good approach. Create a simple token auth for only this part of the service?

What you would think?

Thanks in advance.