Admin authentication

Loading...

Admin APIs allow you to access and configure Unity Services as an administrator. To authenticate admin APIs, you must create and use service accounts.

Supported APIs

Some APIs directly support service account authentication, while others require an additional stateless token.

These APIs directly support service accounts:

• Authentication
• Advertising Management
• Advertising Statistics
• Assets Manager
• Application Linking
• Annotations
• Presence
• Cloud Save
• Economy
• Triggers
• Scheduler
• Cloud Code
• Leaderboards
• Matchmaker
• Matchmaker CLI
• Session Observability
• Remote Config API
• SCIM API
• User Generated Content
• Multiplay
• Content Delivery Management
• Player Authentication
• Resource Policy
• Access (deprecated)
• Text Evidence Management API
• Storage
• Observability
• Instance Metadata
• Workflow Engine

These APIs require an additional stateless token:

• Cloud Save
• Economy
• Cloud Code
• Leaderboards
• Lobby
• Matchmaker
• Friends
• Player Names
• Multiplay Game Server Lifecycle

Prerequisites

Before you use service accounts, make sure you are an organization owner.

Create a service account

To create a service account, follow these steps:

1. In the Unity Cloud, go to Administration > Service Accounts.
2. Select Create service account to create a new account.
3. In the Keys section, select Create key to generate a key ID and a secret key.
4. Add a role to your service account to allow access to API endpoints.
   • Select Add organization role to grant access to organization-level data that applies to all projects in your organization.
   • Select Add project role to grant access to project-level data that applies to individual projects.

You can now use either your service account credentials or a stateless authentication token to authenticate and call an API.

Authenticate an API using service account credentials

To authenticate an API using your service account credentials, open a terminal and enter the following authorization HTTP header:

curl -H "Authorization: Basic <SERVICE_ACCOUNT_CREDENTIALS>" \
https://services.api.unity.com/<ENDPOINT>

The <SERVICE_ACCOUNT_CREDENTIALS> is created by Base64 encoding the string <KEY_ID>:<SECRET_KEY>. It uses the key ID and secret key you generated when you created a service account.

For example, if your key ID is 7e0f1152-e0dd-4b14-8e37-04cab07efeb0 and your secret key is NKxoRp2m2w3e9gzJfssNQnTfypFgtJn7, your header will be 7e0f1152-e0dd-4b14-8e37-04cab07efeb0:NKxoRp2m2w3e9gzJfssNQnTfypFgtJn7.

Authenticate an API with the Unix terminal

Important

You must Base64 encode the key string before authenticating an API with the Unix terminal.

If you're using a Unix terminal, follow these steps:

1. Enter a command to Base64 encode the key string.

echo -n "7e0f1152-e0dd-4b14-8e37-04cab07efeb0:NKxoRp2m2w3e9gzJfssNQnTfypFgtJn7" | base64

2. Replace <SERVICE_ACCOUNT_CREDENTIALS> with the output from the previous command.

curl -H "Authorization: Basic N2UwZjExNTItZTBkZC00YjE0LThlMzctMDRjYWIwN2VmZWIwOk5LeG9ScDJtMnczZTlnekpmc3NOUW5UZnlwRmd0Sm43" \
https://services.api.unity.com/<ENDPOINT>

You have now authenticated your API.

Authenticate an API using a stateless token

To authenticate an API using a stateless token, follow these steps:

1. Call the Token Exchange API. Make sure to send your key ID and your secret key as the authorization in the request.

curl -X POST -H "Authorization: Basic N2UwZjExNTItZTBkZC00YjE0LThlMzctMDRjYWIwN2VmZWIwOk5LeG9ScDJtMnczZTlnekpmc3NOUW5UZnlwRmd0Sm43" 
https://services.api.unity.com/auth/v1/token-exchange?projectId=<PROJECT_ID>&environmentId=<ENVIRONMENT_ID>

As a response, you receive an accessToken.

{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ",
}

2. Use the accessToken to call APIs in the context of the project ID and/or environment ID you specified earlier.

curl -H "Authorization: Bearer <STATELESS_ACCESS_TOKEN>" \
https://services.api.unity.com/<ENDPOINT>

Refresh your stateless token

The stateless access token you receive after calling the Token Exchange API includes an exp field which determines the token's lifespan. If your token expires, you can refresh it by calling the Token Exchange API again with your original key ID and secret key.

You can generate a new token before your previous token has expired. Generating a new token doesn't invalidate your previous token.

Available roles

The following roles are available for admin API authentication:

Loading...