Using session keys in Unity

In-game keys are specialized access tools assigned with specific in-game permissions, tailored for enhancing gaming experiences. Examples include:

• A key that grants access only to specific game levels or areas.
• A key that allows the use of up to 1000 in-game currency units.
• A key that remains valid for 3 days before expiring.

Configuration

This section will guide you through the process of registering a session key and using it to mint an asset with a player's smart account.

"com.openfort.sdk": "https://github.com/openfort-xyz/openfort-csharp-unity.git",
"com.unity.nuget.newtonsoft-json": "3.0.1",
"com.cysharp.unitask": "https://github.com/Cysharp/UniTask.git?path=src/UniTask/Assets/Plugins/UniTask#2.3.3"

using Openfort.OpenfortSDK;
using Openfort.OpenfortSDK.Model;
 
public class LoginSceneManager : MonoBehaviour
{
  private OpenfortSDK openfort;
  private SessionKey sessionKey;
  private void Start()
  {
    openfort = await Openfort.Init("YOUR_OPENFORT_PUBLISHABLE_KEY");
    sessionKey = openfort.ConfigureSessionKey();
  }
}

const sessionKey = ethers.Wallet.createRandom();

2. Register a session key - Server side Client side

To register a session key, first send the address from the session key to your server. You can get the address from the session key object created above like this:

string address  = sessionKey.Address;

Then, from your server you can make a request to the Openfort API or use one of our server libraries to register the session key.

Install Openfort in your server-side and initialize it with your secret key.

npm install @openfort/openfort-node

Initialize '@openfort/openfort-node' with your secret key.

import Openfort from "@openfort/openfort-node";
const openfort = new Openfort("sk_test_...");

dotnet add package Openfort.SDK

Initialize 'Openfort.SDK' with your secret key.

using Openfort.SDK;
using Openfort.SDK.Model;
 
var openfort = new OpenfortClient("sk_test_...");

The created session key would be valid since the 25th of May 2023 at 7:50 GMT (timestamp 1685001000) and last for 1 hour (timestamp 1685001000). For a useful resource to calculate timestamps online, visit UNIX Timestamp.

Note how the externalOwnerAddress parameter is used to indicate the address of owner of the account that will be created under the specified player. It's only necessary to specify this parameter when the player is doesn't yet have an account in that chain.

Also, note how a policy is used to indicate the policy that will be used to sponsor the gas fees of the transaction to register the session key.

In this example externalOwnerAddress is used to indicate the address of the owner of the account that will be created under the specified player.

Register the session key using Openfort:

curl https://api.openfort.io/v1/sessions \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d player=pla_... \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d validUntil=1685004600 \
  -d validAfter=0 \
  -d externalOwnerAddress="0x41e6...9341" \
  -d policy=pol_...

After registering the session key, you can see it in the dashboard under the player's page.

3. Sign the session key - Client side

The owner of the account of the player needs then to authorize the new session key.

To do so, it needs to sign the userOperationHash from the nextAction object returned by the API call to register the session key.

nextAction response object from transaction_intents

"nextAction": {
    "type": "sign_with_wallet",
    "payload": {
        "signableHash": "0x91b4efe3648c79467f7b50aa9bb1b4eae383a52dd6d741d39ece29ed2ef8362d"
    }
},

Once the content of the nextAction parameter above is signed by the owner signer of the account, it has to be sent to Openfort using the endpoint /v1/sessions/:id/signature as shown below:

Sign and send the session key registration:

curl https://api.openfort.io/v1/sessions/ses_.../signature \
  -H "Authorization: Bearer $YOUR_PUBLISHABLE_KEY" \
  -d signature="xyz..."

await Openfort.SendSignatureSessionRequest(
  playerSession.id,
  SIGNED_USED_OP_HASH
);

4. Using the session key - Server side Client side

After the session key is registered, it can be used to authenticate requests from the player. Whenever you create a transaction intent from your backend, a signature will be needed from the session key or owner of the players' smart account.

Create a transaction intent:

curl https://api.openfort.io/v1/transaction_intents \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d player=pla_... \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d policy=pol_...

After creating the transaction intent, the session key will need to sign the nextAction userOperationHash and send it to Openfort.

To do so, pass the userOperationHash to the sendSignatureTransactionIntentRequest method of the Openfort client library. Load session key and sign a transaction intent:

await Openfort.SendSignatureTransactionIntentRequest(
  collectResponseJSON.data.id,
  userOperationHash
);

5. Revoke a session key - Client side Server side

The owner of the account can always revoke the session key.

To do so, it needs to sign the userOperationHash from the nextAction object returned by the API call to revoke the session key.

Create a transaction intent:

curl https://api.openfort.io/v1/sessions/revoke \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d player=pla_... \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d policy=pol_...

Sign the transaction to revoke the session key and remove from client side:

var openfortTransactionResponse =
  await openfort.sendSignatureTransactionIntentRequest(
    revokeResponseJSON.data.id,
    userOperationHash
  );