Skip to content
PairKit

Authentication

PairKit’s hosted relay is moving from “open to anyone” to “per-customer keys” so usage can be attributed and (later) billed. This page is the 60-second walkthrough.

What you need

  • An account at app.pairkit.dev.
  • The Unity SDK at v0.5.0 or later — earlier versions don’t have the apiKey field on PhoneControllerManager.

Get a key

  1. Sign up, verify your email, sign in.

  2. Create an app — a named container for your keys. Most users have one app per game; teams use one app per environment (dev / staging / prod). The name is for your own organization, the relay doesn’t read it.

  3. Generate an API key. The dashboard shows the plaintext once:

    pk_live_AbCd1234abcdef0123456789…

  4. Copy it now. After you dismiss the banner, only the prefix remains visible. If you lose the key, generate a new one and revoke the old.

Paste it into Unity

  1. Select the GameObject with PhoneControllerManager in your scene.

  2. Paste your key into the API Key field (under the Authentication section of the inspector).

  3. Press play. The relay’s logs will show your key’s prefix instead of absent:

    "key_prefix":"pk_live_AbCd"

The custom inspector masks the field by default — click Reveal if you need to copy/paste.

Rollout — open mode vs strict mode

The relay runs in open mode during the phase 6 rollout window. That means:

  • Connections without an API key are still accepted, with a structured Sentry breadcrumb (api_key_open_mode_passthrough) so we can track migration.
  • Connections with an invalid or revoked key are also accepted in open mode — same breadcrumb.

After phase 6.5’s cutover, the relay flips to strict mode:

  • Connections without an API key reject with system.error code=unauthorized.
  • Revoked keys stop working within 60 seconds (the cache TTL).

Get a key before the cutover. We’ll announce it in the changelog and give a one-week deprecation window.

Revocation

If a key leaks (e.g. you committed a scene to a public repo), revoke it:

  1. Open the app in app.pairkit.dev.
  2. Find the key by its prefix.
  3. Click Revoke. Confirm.

The relay’s cache picks up the revocation within 60 seconds. Existing sessions stay alive (they’re already authenticated); new session.create calls with that key return unauthorized once strict mode is on.

LAN mode

LAN mode ignores the API key field — there’s no auth layer. The Unity build hosts the relay in-process; phones connect directly over WiFi. See LAN mode for the full picture.

If you set apiKey and switch to LAN mode, the field is harmless — just unused.

Common gotchas

  • Whitespace. Trailing newlines from copy/paste are trimmed automatically by the SDK before sending. If your key shows pk_live_AbCd… but the relay rejects it, double-check there’s no embedded space — the Reveal toggle in the inspector helps.
  • Multiple environments. One app per environment is the recommended pattern. A dev app and a prod app means a leaked dev key doesn’t affect production traffic.
  • Scene commits. The key serializes with the prefab/scene. If your repo is public, generate keys per-developer and use scene-local prefab variants — or wait for phase 6.6+‘s env-var loader.

Where this fits in the roadmap

  • Today (phase 6.4): SDK ships an apiKey field; relay validates in open mode.
  • Sprint 6.5: flip relay to strict mode in production; existing pre-key SDKs get a one-week deprecation window.
  • Phase 6.6+: Stripe billing, paid tiers, per-key rate limits.

For the source-of-truth format spec (hash function, validation flow, cache semantics), see docs/api-keys.md in the repo.