Using session keys in Unity

In-game keys are specialized access tools assigned with specific in-game permissions, tailored for enhancing gaming experiences. Examples include:

A key that grants access only to specific game levels or areas.
A key that allows the use of up to 1000 in-game currency units.
A key that remains valid for 3 days before expiring.

Configuration

This section will guide you through the process of registering a session key and using it to mint an asset with a player's smart account.

1. Create a session key Client side

After you have authenticated your user with your regular authentication system, you can create a session key for them. To create a session key, you need to generate a key pair on the client-side and send the address computed from the public key to your server.

Using one of the official Openfort client libraries everything is handled for you.

Install the client-side library:

Open Packages/manifest.json and add these lines:

"com.openfort.sdk": "https://github.com/openfort-xyz/openfort-csharp-unity.git",
"com.unity.nuget.newtonsoft-json": "3.0.1",
"com.cysharp.unitask": "https://github.com/Cysharp/UniTask.git?path=src/UniTask/Assets/Plugins/UniTask#2.3.3"

Initialize Openfort and create a session key:

using Openfort.OpenfortSDK;
using Openfort.OpenfortSDK.Model;
 
public class LoginSceneManager : MonoBehaviour
{
  private OpenfortSDK openfort;
  private SessionKey sessionKey;
  private void Start()
  {
    openfort = await Openfort.Init("YOUR_OPENFORT_PUBLISHABLE_KEY");
    sessionKey = openfort.ConfigureSessionKey();
  }
}

1. Create a session key Server side

Viem create session key

import { generatePrivateKey, privateKeyToAccount } from 'viem/accounts';
 
const sessionKey = generatePrivateKey();
const accountSession = privateKeyToAccount(sessionKey).address;

Ethers create session key

Using ethers, you can create a key pair on the server side of you application.

const sessionKey = ethers.Wallet.createRandom();

The parameter sessionKey contains the address that you will need to register.

After creating the session key, you can go ahead and register it.

2. Register a session key - Server side Client side

To register a session key, first send the address from the session key to your server. You can get the address from the session key object created above like this:

string address  = sessionKey.Address;

Then, from your server you can make a request to the Openfort API or use one of our server libraries to register the session key.

Install Openfort in your server-side and initialize it with your secret key.

node

npm install @openfort/openfort-node

Initialize '@openfort/openfort-node' with your secret key.

server.ts

import Openfort from "@openfort/openfort-node";
const openfort = new Openfort("sk_test_...");

.net

dotnet add package Openfort.SDK

Initialize 'Openfort.SDK' with your secret key.

server.cs

using Openfort.SDK;
using Openfort.SDK.Model;
 
var openfort = new OpenfortClient("sk_test_...");

The created session key would be valid since the 25th of May 2023 at 7:50 GMT (timestamp 1685001000) and last for 1 hour (timestamp 1685001000). For a useful resource to calculate timestamps online, visit UNIX Timestamp.

Also, note how a policy is used to indicate the policy that will be used to sponsor the gas fees of the transaction to register the session key.

curl

curl https://api.openfort.io/v1/sessions \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d validUntil=1685004600 \
  -d validAfter=0 \
  -d account="acc_..." \
  -d policy=pol_...

3. Authorize the session key - Client side

The owner of the account needs then to authorize the new session key.

To do so, it needs to sign the signableHash from the nextAction object returned by the API call to register the session key.

"nextAction": {
    "type": "sign_with_wallet",
    "payload": {
        "signableHash": "0x91b4efe3648c79467f7b50aa9bb1b4eae383a52dd6d741d39ece29ed2ef8362d"
    }
},

Once its signed by the owner signer of the account, it has to be sent to Openfort using the endpoint /v1/sessions/:id/signature as shown below:

curl

curl https://api.openfort.io/v1/sessions/ses_.../signature \
  -H "Authorization: Bearer $YOUR_PUBLISHABLE_KEY" \
  -d signature="xyz..."

client.cs

await Openfort.SendSignatureSessionRequest(
  playerSession.id,
  SIGNED_USED_OP_HASH
);

After registering the session key, you can see it in the dashboard under the player's page.

4. Using the session key - Server side Client side

After the session key is registered, it can be used to authenticate requests from the player. Whenever you create a transaction intent from your backend, a signature will be needed from the session key or owner of the users' smart account.

Create a transaction intent:

curl

curl https://api.openfort.io/v1/transaction_intents \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d account="acc_..." \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d policy=pol_...

After creating the transaction intent, the session key will need to sign the nextAction signableHash and send it to Openfort. The response of the call to transaction intents will contain a nextAction object like this:

"nextAction": {
    "type": "sign_with_wallet",
    "payload": {
        "signableHash": "0x91b4efe3648c79467f7b50aa9bb1b4eae383a52dd6d741d39ece29ed2ef8362d"
    }
},

5. Revoke a session key - Client side Server side

The owner of the account can always revoke the session key.

To do so, it needs to sign the signableHash from the nextAction object returned by the API call to revoke the session key.

curl

curl https://api.openfort.io/v1/sessions/revoke \
  -H "Authorization: Bearer $YOUR_SECRET_KEY" \
  -d account=acc_... \
  -d address="0x76e6...9341" \
  -d chainId=80002 \
  -d policy=pol_...

Make sure to sign the signableHash with the owner account and send it to Openfort using the endpoint /v1/sessions/:id/signature.