Skip to content

Using session keys in Unity

In-game keys are specialized access tools assigned with specific in-game permissions, tailored for enhancing gaming experiences. Examples include:

  • A key that grants access only to specific game levels or areas.
  • A key that allows the use of up to 1000 in-game currency units.
  • A key that remains valid for 3 days before expiring.

Configuration

This section will guide you through the process of registering a session key and using it to mint an asset with a player's smart account.

2. Register a session key - Server side Client side

To register a session key, first send the address from the session key to your server. You can get the address from the session key object created above like this:

string address  = sessionKey.Address;

Then, from your server you can make a request to the Openfort API or use one of our server libraries to register the session key.

Install Openfort in your server-side and initialize it with your secret key.

node
npm install @openfort/openfort-node

Initialize '@openfort/openfort-node' with your secret key.

server.ts
import Openfort from "@openfort/openfort-node";
const openfort = new Openfort("sk_test_...");
.net
dotnet add package Openfort.SDK

Initialize 'Openfort.SDK' with your secret key.

server.cs
using Openfort.SDK;
using Openfort.SDK.Model;
 
var openfort = new OpenfortClient("sk_test_...");

The created session key would be valid since the 25th of May 2023 at 7:50 GMT (timestamp 1685001000) and last for 1 hour (timestamp 1685001000). For a useful resource to calculate timestamps online, visit UNIX Timestamp.

Also, note how a policy is used to indicate the policy that will be used to sponsor the gas fees of the transaction to register the session key.

Register the session key using Openfort:

curl
curl https://api.openfort.io/v1/sessions \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d validUntil=1685004600 \
  -d validAfter=0 \
  -d account="acc_..." \
  -d policy=pol_...

3. Authorize the session key - Client side

The owner of the account needs then to authorize the new session key.

To do so, it needs to sign the signableHash from the nextAction object returned by the API call to register the session key.

"nextAction": {
    "type": "sign_with_wallet",
    "payload": {
        "signableHash": "0x91b4efe3648c79467f7b50aa9bb1b4eae383a52dd6d741d39ece29ed2ef8362d"
    }
},

Once its signed by the owner signer of the account, it has to be sent to Openfort using the endpoint /v1/sessions/:id/signature as shown below:

curl
curl https://api.openfort.io/v1/sessions/ses_.../signature \
  -H "Authorization: Bearer $YOUR_PUBLISHABLE_KEY" \
  -d signature="xyz..."
client.cs
await Openfort.SendSignatureSessionRequest(
  playerSession.id,
  SIGNED_USED_OP_HASH
);

After registering the session key, you can see it in the dashboard under the player's page.

DashboardRegisterSessionKey

4. Using the session key - Server side Client side

After the session key is registered, it can be used to authenticate requests from the player. Whenever you create a transaction intent from your backend, a signature will be needed from the session key or owner of the users' smart account.

Create a transaction intent:

curl
curl https://api.openfort.io/v1/transaction_intents \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d account="acc_..." \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d policy=pol_...

After creating the transaction intent, the session key will need to sign the nextAction signableHash and send it to Openfort. The response of the call to transaction intents will contain a nextAction object like this:

"nextAction": {
    "type": "sign_with_wallet",
    "payload": {
        "signableHash": "0x91b4efe3648c79467f7b50aa9bb1b4eae383a52dd6d741d39ece29ed2ef8362d"
    }
},

5. Revoke a session key - Client side Server side

The owner of the account can always revoke the session key.

To do so, it needs to sign the signableHash from the nextAction object returned by the API call to revoke the session key.

curl
curl https://api.openfort.io/v1/sessions/revoke \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d account=acc_... \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d policy=pol_...

Make sure to sign the signableHash with the owner account and send it to Openfort using the endpoint /v1/sessions/:id/signature.