Implementing Authentication

A toolkit (in the Pley SDK) that helps you with authenticating and identifying users.

AuthKit is Pley's tool to identify, verify, and authenticate users on the Pley platform who is trying to play your games. It integrates with your back-end and provides access to Pley's backend to verify any logged-in users on the platform.

This article is just the how-to to implement Pley Authentication into your game.
Read more about Pley Authentication here.

1) Fetch the Pley Session Token.
2) Send the Session Token to your backend.
3) Backend verifies the Session Token with the Pley server through an HTTP request.
4) Pley returns the game_user_id. The user is now verified.
5) Send the Pley game_user_id to the game client and use it to authenticate the user (fetching their progress).

Note that Session Tokens expire after 30 minutes on Pley. If you are doing any verifications, it is recommended to fetch a new Session Token and verify it.

Getting and Sending Session Token


API References

You can find the methods called in the references for Unity SDK AuthKit and for the C SDK AuthKit.

Getting and sending Session Token from the SDK is simple.

// Remember to initialize the SDK first. 

// Request a session token ID from the SDK:
private string GetPleySessionToken()
	return Pley.AuthKit.GetSessionToken();

// Now that we have the session token ID, we send it over to your backend so the backend can send a request to Pley's server.
private void SendTokenToBackend()
	// Your backend's server send request

Getting the Game User ID using the Session Token

Before we get the Game User ID, it is recommended that you verify the Session Token with the Pley server first. To do that, simply create an HTTP request using cURL, from your backend:

curl -X POST \ \
  -H 'Authorization: Bearer your-api-token' \
  -H 'Content-Type: application/json' \
  -d '{
    "session_token": "users-session-token"

Your backend will receive a JSON response back.

  "data": {
    "game_user": {
      "game_user_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "username": "Tornado92"
    "game_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Note that while this JSON contains the Game User ID, it also includes the username. Pley supports usernames, but note that Guest users does not have a username. It is recommended to avoid using usernames in your game, even though it is provided.

Secondly, you can check the status code for this response. As customary we use 200 for a valid response (i.e. verified Session Token) and a 400 as a bad request (i.e. corrupt Session Token)


We've included the Game ID within the response JSON so you can identify a specific game. This can be useful if you have multiple games hooked to the same backend service and need verification. This is also used by us to authenticate you as a developer when a request is sent.

Verification Frequency

How often you need to verify a user depends on the communication between your game and the backend. If your communication with the backend is stateless (i.e. communicating with an HTTP API without sessions) we recommend you either verify with each call or at least with very sensitive calls (i.e. calls that will modify your database).
If your communication with the backend is stateful (for example using WebSocket) then you can verify once at the beginning of said communications.


Session Token ID Expires

As mentioned above, Session Tokens expire after a while automatically (every 30 minutes). We recommend you request the Session Token when you're doing any verifications just in case.


SDK Game User ID

The Game User ID is available from within the SDK. However, the method call isn't meant to be used for verification as the resulting Game User ID can be easily tampered with. The purpose of this method call is to help in error reporting for example.

What’s Next