Authentication
Cloud Code only accepts authenticated requests.
Authentication allows you to use a player's identity to ensure security, consistency, and safety with every interaction in your game.
To authenticate with Cloud Code, you can use the authentication methods below:
| Request origin | Authentication method |
|---|---|
| Untrusted client (players) | Use the Unity Authentication service. |
| Trusted client (game server, integration testing, local machine) | Use service account authentication or Game Server Hosting authentication. |
Authenticate players
Unity Authentication assigns unique identifiers to players and provides a variety of authentication methods.
Note: You can use Unity Authentication for anonymous authentication and platform-specific authentication solutions for supported platforms, including mobile and PC.
Unity authentication uses Bearer authentication with JSON Web Tokens (JWT). Cloud Code modules provide an IExecutionContext interface which contains an AccessToken property. This access token is the JWT that you use to authenticate the player that calls the module.
For more information about how to use the AccessToken in your module, refer to the Access token support documentation.
Restrict access
If you want to restrict access to specific module endpoints, you can use Role-based Access Control (RBAC) rules.
These rules allow you to ensure that players can't run special module endpoints, such as single-use support functions that grant players additional resources. For more information, refer to the Access Control documentation.
Note: For security, you can only use JWTs that the Unity Authentication service generates with the Cloud Code Client API. The Cloud Code service rejects these calls if you make them to the Cloud Code Admin API.
Authenticate trusted clients
You can use the both the Client and Admin Cloud Code APIs with Service Account Authentication.
This opens up a variety ways that you can use Cloud Code:
- Write modules from your local machine.
- Write and run modules from a CI/CD pipeline.
- Run modules from a game server.
- Run modules in integration tests.
You can use Service Accounts for both Bearer (JWT) and Basic authentication.
Cloud Code Admin API (Basic Authentication)
To access the Cloud Code Admin API, you need to use Basic authentication.
To use the Service Account credentials directly, base64 encode the <KEY_ID>:<SECRET_KEY>. You also need to grant the service account the appropriate permissions. For more information on permissions and roles in Cloud Code, refer to the table below.
| Access rights | Role |
|---|---|
| Read modules | Cloud Code Viewer |
| Read/Write/Delete modules | Cloud Code Editor |
For more information, refer to the Service Account Authentication documentation.
Cloud Code Client API (Bearer Authentication)
To access the Cloud Code Client API, use Bearer authentication. You can use the Token Exchange API to obtain a stateless token with a limited lifespan.
Note: Although the Token Exchange API states that the query parameter for the environment ID is optional, you need to provide the environment ID to access the Cloud Code Client API to run modules.
To refresh the token when it expires, you can use the same API.
Cloud Code modules provide an IExecutionContext object which contains an ServiceToken property. The ServiceToken property is a JWT that you can use to authenticate as Cloud Code and access cross-player data. For example, you can use this token to make calls to Cloud Save to save data on behalf of another player.
For more information about how to use the ServiceToken in your module, refer to the Service token support documentation.
Note: You can only use the Token Exchange API to call out to the Client API. You don't need to specify any scopes in the request.
Authenticate with Game Server Hosting
Game Server Hosting (Multiplay) supports an additional authentication method which uses server-generated JWTs. For more information, refer to the documentation on how to Call from Unity game server (Multiplay).