Authentication
Cloud Code only accepts authenticated requests.
Authentication allows you to use a player's identity to ensure security, consistency, and safety with every interaction in your game.
To authenticate with Cloud code, you can use the authentication methods below:
| Request origin | Authentication method |
|---|---|
| Untrusted client (player) | Use the Unity Authentication service. |
| Trusted client (game server, integration testing, local machine) | Use service account authentication or Game Server Hosting authentication. |
Authenticate players
Unity Authentication assigns unique identifiers to players and provides a variety of authentication methods.
Note: You can use Unity Authentication for anonymous authentication and platform-specific authentication solutions for supported platforms, including mobile and PC.
Cloud Code scripts provide a context object which contains an accessToken property. This access token is the JWT that you use to authenticate the player that calls the script.
For more information about how to use the accessToken in your script, refer to the Access token support documentation.
Restrict access
If you want to restrict access to specific scripts, you can use Role-based Access Control (RBAC) rules.
These rules allow you to ensure that players can't run special scripts, such as single-use support scripts that grant players additional resources. For more information, refer to the Access Control documentation.
Note: For security, you can only use JWTs that the Unity Authentication service generates with the Cloud Code Client API. The Cloud Code service rejects these calls if you make them to the Cloud Code Admin API.
Authenticate trusted clients
You can use the both the Client and Admin Cloud Code APIs with Service Account Authentication.
This opens up a variety ways that you can use Cloud Code:
- Write scripts from your local machine.
- Write and run scripts from a CI/CD pipeline.
- Run scripts from a game server.
- Run scripts in integration tests.
You can use Service Accounts for both Bearer (JWT) and Basic authentication. For more information, check the Service Account Authentication documentation.
Cloud Code Admin API (Basic Authentication)
To access the Cloud Code Admin API, use Basic authentication.
To use the Service Account credentials directly, base64 encode the <KEY_ID>:<SECRET_KEY>. You also need to grant the service account the appropriate permissions. For more information on permissions and roles in Cloud Code, refer to the table below.
| Access rights | Role |
|---|---|
| Read scripts | Cloud Code Viewer |
| Read/Write/Delete scripts | Cloud Code Editor |
| Publish scripts | Cloud Code Publisher |
Cloud Code Client API (Bearer Authentication)
To access the Cloud Code Client API, use Bearer auth with Token Exchange API to obtain a stateless token with a limited lifespan.
Note: Although the Token Exchange API states that the query parameter for the environment ID is optional, you must provide it to access the Cloud Code Client API for running scripts.
To refresh the token when it expires, you can use the same API.
Cloud Code scripts provide a context object which contains an serviceToken property. The serviceToken property is a JWT that you can use to authenticate as Cloud Code and access cross-player data. For example, you can use this token to make calls to Cloud Save to save data on behalf of another player.
For more information about how to use the serviceToken in your script, refer to the Service token support documentation.
Note: You can only use the Token Exchange API to call out to the Client API. You don't need to specify any scopes in the request.
Authenticate with Game Server Hosting
Game Server Hosting (Multiplay) supports an additional authentication method which uses server-generated JWTs. For more information, learn how to Call from Unity game server (Multiplay).