Relay uses several layers of authentication to support secure communication across the service:

UAS authentication

UAS authentication is HTTP-based and communicates with the Allocations service and other Unity services, such as Lobby.

Before requesting an allocation, game clients must get an access token by using UAS, then pass the access token in the Authorization header of the allocation request.

Relay BIND message authentication

Relay authentication uses HMAC signatures to authenticate players. The secure signatures use secret keys and nonce values.

HMACs and shared secrets

An HMAC (hash-based message authentication code) is a message authentication code that uses a cryptographic hash function and keys to authenticate messages. Relay uses the shared secret key generated by the Relay server to sign an HMAC that has the connection data and an incrementing nonce.

If the client’s IP address or port number changes, the supplied nonce must be larger than the last known value (the previous nonce) to mitigate a replay attack. However, if rebinding from the same IP address and port number, the client doesn't need to increment the nonce.

DTLS authentication

DTLS authentication uses a pre-shared key (PSK) whose value is equal to the HMAC secret key used in the BIND message authentication. The PSK hint in the DTLS handshake is equal to the allocation ID. Check out DTLS encryption.