OathWall
Docs

Provider Setup Guide

Oathwall acts as a secure middleware between your game and OAuth providers. You bring your own credentials — we handle the entire auth flow, token rotation, and session management.

This guide covers two things: how to get the credentials you need from each provider's developer console, and how to add them to your Oathwall app through the dashboard.

Providers10 supported
Avg. Setup Time~5 min per provider
Backend RequiredNone

Pick a provider to set up
Why bring your own credentials? We never share your players' data with other apps on our platform. Each provider account is yours — you own the OAuth app, we just run the flow.

Google logo

Google

OAuth 2.0 · Google Cloud Console

Google Sign-In uses OAuth 2.0. You'll create credentials in the Google Cloud Console and end up with a Client ID and a Client Secret.

~5 min setupEasyMost popular

Required fields

FieldDescriptionExample
Client IDYour OAuth 2.0 client identifier.123456789-abc.apps.googleusercontent.com
Client SecretThe secret paired with your Client ID.GOCSPX-xxxxxxxxxxxx

Step-by-step

1

Open Google Cloud Console

Go to console.cloud.google.com and sign in with your Google account.

2

Create or select a project

Click the project dropdown at the top left and either select an existing project or click New Project. Give it a name that identifies your game.

3

Register your app on Google Auth Platform

Navigate to Google Auth Platform in the console menu (or go directly to console.cloud.google.com/auth/overview) and complete the registration:

  • On the Audience page, choose External as the user type.
  • On the Branding page, fill in the app name, support email, and developer contact email.
  • Scopes live on the Data Access page — for basic sign-in (openid, email, profile) they are non-sensitive and need no verification.
4

Create an OAuth client and add the redirect URI

Go to Google Auth Platform → Clients and click Create Client. Select Web application as the application type, then under Authorized redirect URIs click Add URI and enter:

text
https://sso.oathwall.com/auth/callback
The redirect URI must match exactly — including the protocol and no trailing slash. Google will reject requests with a different URI.
5

Copy your credentials

Click Create. The confirmation dialog shows your Client ID and Client Secret — copy both into the Oathwall dashboard.

Google shows the Client Secret only once, at creation — afterwards the console displays just the last four characters. If you lose it, open the client's detail page and click Add Secret to rotate in a new one, then update it in the Oathwall dashboard.

Facebook logo

Facebook

OAuth 2.0 · Meta for Developers

Facebook Login is part of the Meta for Developers platform. You'll create a Meta App to get an App ID and App Secret.

~5 min setupEasyPopular

Required fields

FieldDescriptionExample
App IDYour Meta app identifier (public).1234567890123456
App SecretThe secret paired with your App ID.abc123def456...

Step-by-step

1

Open Meta for Developers

Go to developers.facebook.com and log in with a Facebook account that has developer access.

2

Create a new app

Click My Apps → Create app. On the Add use cases screen, select "Authenticate and request data from users with Facebook Login" and click Next. When Meta asks "Are you building a game?", choose No — the "Yes" path creates a Facebook Login for Gaming app, which is a different login type than the web OAuth flow Oathwall runs. Enter your app name and contact email, then click Create app.

3

Configure the use case and set the redirect URI

From the dashboard, open Use cases → Authenticate and request data from users with Facebook Login → Customize. Make sure the email permission is added, then under Settings add to Valid OAuth Redirect URIs:

text
https://sso.oathwall.com/auth/callback
email and public_profile are granted automatically — you do not need App Review or Business Verification for Oathwall's login scopes.
4

Copy your credentials

Navigate to Settings → Basic. Copy your App ID and click Show next to App Secret to reveal it.

Your app starts in Development mode — only people with a role on the app (admins, developers, testers) can log in. To allow real users, switch the app to Live. Meta requires a Privacy Policy URL, an app icon, a category, and a User data deletion callback or instructions URL before the switch is allowed.

Discord logo

Discord

OAuth 2.0 · Discord Developer Portal

Discord uses standard OAuth 2.0. You'll create an application in the Discord Developer Portal and get a Client ID and a Client Secret.

~5 min setupEasy

Required fields

FieldDescriptionExample
Client IDYour Discord application ID.1234567890123456789
Client SecretThe secret associated with your application.aBcDeFgHiJkLmNoPqRsTuV

Step-by-step

1

Open the Discord Developer Portal

2

Create a new application

Click New Application, give it a name, and click Create.

3

Add the redirect URI

In the left sidebar, go to OAuth2. Under Redirects, click Add Redirect and enter:

text
https://sso.oathwall.com/auth/callback

Click Save Changes.

4

Copy your credentials

Still on the OAuth2 page, copy your Client ID. Click Reset Secret to generate and reveal your Client Secret. If your Discord account has 2FA enabled, you'll be prompted for a code.

The Client Secret is only shown once after resetting — copy it before leaving the page. Resetting also invalidates the previous secret, so update the Oathwall dashboard right away.

Apple logo

Apple

Sign in with Apple · Apple Developer

Sign in with Apple is required for any iOS app that offers third-party login. You'll need a Services ID, a private key (.p8 file), your Team ID, and the Key ID.

~15 min setupModerateRequired for iOS
An Apple Developer Program membership ($99/year) is required. Individual or Organization accounts both work.

Required fields

FieldDescriptionExample
Client IDYour Services ID identifier (not the Bundle ID).com.yourstudio.yourgame.auth
Team IDFound under Membership details in your Apple Developer account.ABC123DEF4
Key IDThe identifier of the Sign in with Apple key.XYZKEY1234
Private KeyContents of the .p8 file downloaded from Apple.-----BEGIN PRIVATE KEY----- ...

Step-by-step

1

Open Apple Developer portal

Go to developer.apple.com/account and note your Team ID on the Membership details card.

2

Register an App ID with Sign In with Apple

Go to Identifiers → + → App IDs. Fill in Bundle ID, then scroll to Capabilities and check Sign In with Apple.

3

Create a Services ID

Go to Identifiers → + → Services IDs. The identifier becomes yourClient ID in Oathwall (e.g. com.yourstudio.yourgame.auth).

4

Configure the Services ID with the redirect URI

Click the Services ID, enable Sign In with Apple → Configure, and select your App ID as the Primary App ID. Under Website URLs you must fill in both fields:

  • Domains and Subdomains: sso.oathwall.com (at least one domain is mandatory)
  • Return URLs:
text
https://sso.oathwall.com/auth/callback
No domain-verification file upload is needed — Apple removed that requirement.
5

Create a Sign in with Apple key and download the .p8 file

Go to Keys → +, name the key and check Sign In with Apple. Click Configure and select your Primary App ID (the key can't be registered without it), then Save → Continue → Register and download the .p8 file immediately — it cannot be re-downloaded.

Store the .p8 file securely. If lost, you'll need to create a new key and revoke the old one.
6

Gather all four values

  • Client ID — the Services ID identifier
  • Team ID — top-right of the Developer portal
  • Key ID — shown on the Keys page
  • Private Key — the full contents of the .p8 file

Steam logo

Steam

OpenID 2.0 · Steamworks

Steam uses OpenID 2.0 instead of OAuth 2.0 — there is no client secret or code exchange. Login is verified through Steam's OpenID endpoint; the Web API Key is used to fetch the player's profile (name and avatar), making Steam the simplest provider to set up.

~3 min setupEasyGame-focused

Required fields

FieldDescriptionExample
API KeyYour Steam Web API Key, used to fetch player profile data (persona name, avatar) after login. Goes in the Client Secret field.A1B2C3D4E5F6...
Because Steam uses OpenID 2.0, there's no Client ID. The API Key goes into the Client Secret field in Oathwall. The key is technically optional — login works without it — but players will then have no name or avatar in your user list.

Step-by-step

1

Register for a Steam Web API Key

Go to steamcommunity.com/dev/apikey . Sign in, enter a domain name, and click Register. The domain is just a label — Steam doesn't verify it, so your studio's domain works fine.

Steam requires the Steam Guard Mobile Authenticator to be enabled and a mobile confirmation to register a key, and the account must not be limited (it needs at least one purchase). The key is tied to the Steam account that registered it — use a dedicated developer account rather than a personal one, and keep the key secret. This is the standard user Web API key; you don't need a Steamworks publisher key.
2

Copy your API Key

Your Steam Web API Key is displayed on the same page. Copy it — this is what you'll paste into Oathwall as the Client Secret.


GitHub logo

GitHub

OAuth 2.0 · GitHub Settings

Oathwall uses a GitHub OAuth App for sign-in. (GitHub also offers "GitHub Apps" — that's a different product; make sure you create an OAuth App.) Register one under your GitHub account to get a Client ID and Client Secret.

~3 min setupEasy

Required fields

FieldDescriptionExample
Client IDYour GitHub OAuth App client identifier.Ov23liAbCdEf12345678
Client SecretThe secret paired with your Client ID.abc123def456...

Step-by-step

1

Open GitHub Developer Settings

Go to github.com/settings/developers and select OAuth Apps.

2

Register a new OAuth App

Click New OAuth App and fill in the details:

  • Application name: your game's name
  • Homepage URL: your game's website
  • Authorization callback URL:
text
https://sso.oathwall.com/auth/callback

Click Register application.

3

Generate and copy your Client Secret

On the app page, copy your Client ID. Click Generate a new client secret — copy it immediately.

GitHub only shows the Client Secret once, right after generation. If you lose it, you'll need to generate a new one.

Epic Games logo

Epic Games

OAuth 2.0 · Epic Developer Portal

Epic Account Services uses the standard OAuth 2.0 authorization code flow. You need a Client ID and Client Secret from the Epic Developer Portal, plus a configured Epic Account Services application.

~10 min setupModerate
Epic does not provide user email addresses — only the display name. Epic-authenticated players will appear without an email in your user list.

Required fields

FieldDescriptionExample
Client IDYour Epic OAuth client identifier.xyza7891AbCdEfGhIjKlMnOpQrStUvWx
Client SecretThe secret paired with your Client ID.AbCdEfGhIjKlMnOpQrStUvWxYz123456

Step-by-step

1

Open the Epic Developer Portal

Go to dev.epicgames.com/portal and sign in. Select your product and navigate to Epic Account Services.

2

Create an OAuth client

Go to Product Settings → Clients and click Add new client. Choose the TrustedServer client policy (Oathwall keeps the secret server-side, so the trusted-server policy is the right fit) and add the redirect URL on the client:

text
https://sso.oathwall.com/auth/callback
3

Configure the Epic Account Services application

Under Epic Account Services, configure your application's three tabs — all of them are required for login to work:

  • Brand Settings: company name, logo, and privacy policy URL.
  • Permissions: enable Basic Profile.
  • Linked Clients: link the OAuth client you created in step 2.
Until your brand settings pass Epic's brand review (which includes domain verification), only members of your own Epic organization can sign in. Submit the review before launch, or real players will be blocked.
4

Copy your credentials

Save the client. Your Client ID and Client Secret are shown in the client detail page.


Twitch logo

Twitch

OAuth 2.0 · Twitch Developer Console

Twitch uses standard OAuth 2.0. Register an application in the Twitch Developer Console to get a Client ID and Client Secret.

~5 min setupEasy

Required fields

FieldDescriptionExample
Client IDYour Twitch application client ID.abc123def456ghi789jkl012
Client SecretThe secret paired with your Client ID.xyz987uvw654tsr321...

Step-by-step

1

Open the Twitch Developer Console

Go to dev.twitch.tv/console . Note: 2FA must be enabled on your Twitch account.

2

Register a new application

Click Register Your Application and add the redirect URI:

text
https://sso.oathwall.com/auth/callback

Choose category Game Integration and click Create.

Twitch matches the redirect URL exactly, character for character — no trailing slash or extra path.
3

Copy your credentials

Click Manage on your app. Copy the Client ID, then click New Secret to generate and copy the Client Secret.

Generating a new secret later invalidates the previous one (and any tokens minted with it) — update the Oathwall dashboard immediately if you rotate it.

Twitter / X logo

Twitter / X

OAuth 1.0a · X Developer Portal

X (Twitter) login uses OAuth 1.0a — Oathwall handles the full request-token / authorize / access-token flow for you. You need an X developer account to get an API Key and API Secret (the Consumer Keys).

~10 min setupModerate
Unlike most providers, X gates its OAuth 2.0 /2/users/me endpoint behind a paid API tier. Oathwall uses the OAuth 1.0a flow instead, which works on the free X API tier and even returns the user's email — as long as your app has a Project and "Request email from users" is enabled.

Required fields

FieldDescriptionExample
API KeyYour app's Consumer API Key. Goes in the Client ID field.wnK8n44C8vd01ySCM8MVMFGmp
API SecretYour app's Consumer API Secret. Goes in the Client Secret field.YshGrEdfVG1l7bNYdYTHJG38...

Step-by-step

1

Open the X Developer Portal & create a Project

Go to developer.x.com and make sure your app lives under a Project (not a standalone app) — v1.1 access requires it. The free tier includes one Project.

2

Configure User authentication settings

Open your app's User authentication settings and set:

  • App permissions: Read — and toggle on Request email from users if you want emails.
  • Type of App: Web App, Automated App or Bot (Confidential client).
  • Callback URI / Redirect URL:
text
https://sso.oathwall.com/auth/callback

A Website URL is also required (e.g. your game's site). Requesting email needs a Terms of Service and Privacy Policy URL on the app.

3

Copy your API Key & Secret

On the Keys and tokens tab, copy the API Key and Secret (Consumer Keys). In the Oathwall dashboard, paste the API Key into the Client ID field and the API Secret into the Client Secret field.

The API Secret is shown only once. If lost, regenerate it from the Keys and tokens tab.
You do notneed the OAuth 2.0 Client ID/Secret or the Bearer/Access tokens for login — only the Consumer API Key & Secret.

Microsoft logo

Microsoft

OAuth 2.0 · Azure Portal

Microsoft Sign-In is powered by Microsoft Entra ID (formerly Azure Active Directory). Register an application in the Microsoft Entra admin center to get a Client ID and Client Secret. Oathwall uses the common tenant — supports personal and work/school Microsoft accounts.

~15 min setupModerate

Required fields

FieldDescriptionExample
Client IDThe Application (client) ID from Microsoft Entra.a1b2c3d4-e5f6-7890-abcd-ef1234567890
Client SecretA client secret value you create in Microsoft Entra.AbC~1dEfGhIjKlMnOpQrStUvWx2YzZ3

Step-by-step

1

Open the Microsoft Entra admin center

Go to entra.microsoft.com and navigate to Entra ID → App registrations. (The legacy Azure portal blade still works too.)

2

Register a new application

Click New registration. Under supported account types choose Any Entra ID tenant + personal Microsoft accounts (on the legacy portal: "Accounts in any organizational directory and personal Microsoft accounts"). Under Redirect URI, select the Web platform — this matters; a URI registered as "Single-page application" will reject Oathwall's server-side flow — and enter:

text
https://sso.oathwall.com/auth/callback

Click Register.

3

Create a client secret

Copy the Application (client) ID from the overview page. Then go to Certificates & secrets → New client secret, add it, and copy the Value immediately.

The secret value is hidden once you navigate away. Secrets also expire — the maximum lifetime is 24 months and Microsoft recommends under 12, so plan to rotate it in the Oathwall dashboard at least annually.

Adding a Provider

Once you have your credentials, adding them to your Oathwall app takes under a minute. Each app manages its own set of providers independently.

1

Open your app in the dashboard

Sign in to the Oathwall dashboard and navigate to Apps in the sidebar. Click on the app you want to configure.

2

Go to the Providers tab

Inside your app's detail page, click the Providers tab. Unconfigured providers appear greyed out.

3

Click Configure on a provider

Find the provider you want to enable and click Configure. A panel will appear with the fields specific to that provider.

4

Fill in your credentials and save

Paste the values you collected from the provider's developer console and click Save.

Changes take effect immediately — no deployment required. Your Unity SDK picks up the new provider on the next GET /app-config/login-config/:appKey call.

Redirect URIs

Every OAuth provider requires you to whitelist the URL it will redirect to after authentication. All Oathwall callbacks go through the same endpoint.

OAuth callback URL
text
https://sso.oathwall.com/auth/callback

Provider-specific notes

Google logoGoogle

Add as an Authorized redirect URI in your OAuth client settings. Uses GET.

Facebook logoFacebook

Add under Facebook Login → Settings → Valid OAuth Redirect URIs. Uses GET.

Apple logoApple

Add as a Return URL (plus the domain) in your Services ID configuration. Apple uses POST (form_post response mode).

Steam logoSteam

No configuration needed. Steam OpenID uses the openid.return_to parameter dynamically.

Discord logoDiscord

Add under OAuth2 → Redirects in your application settings. Uses GET.

GitHub logoGitHub

Set as the Authorization callback URL when registering your OAuth App. Uses GET.

Epic Games logoEpic Games

Add under Redirect URIs in your OAuth client settings. Uses GET.

Twitch logoTwitch

Add under OAuth Redirect URLs when registering your application. Uses GET.

Twitter / X logoTwitter / X

Add as a Callback URI in User authentication settings. Uses GET.

Microsoft logoMicrosoft

Add as a Web redirect URI in Authentication settings of your Azure app registration. Uses GET.

After the OAuth flow completes, Oathwall redirects the player to sso.oathwall.com/public/auth/redirect.html with a short-lived ticket. Your game calls POST /auth/consume with the ticket to receive access and refresh tokens.

SSO Login Kit for Unity

The OathWall SSO Login Kit is the Unity client for everything this guide configured. Import it, paste your App Key, inherit one class — your game has Google, Apple, Facebook and Steam login with zero backend code and zero secrets in your build.

The kit opens the hosted sign-in page in the system browser (Unity's recommended approach — no WebView), receives the deep link callback on Android and iOS, exchanges the one-time ticket for tokens and hands you a clean LoginResult. Token storage, refresh and session checks are handled for you.

How the flow works

text
StartLogin("google")
└─ opens https://sso.oathwall.com/auth/google/start?appKey=YOUR_APP_KEY
└─ player signs in with the provider (system browser, not a WebView)
└─ deep link back into the game: yourappkey://open?ticket=...
└─ kit consumes the ticketaccess + refresh tokens (stored locally)
└─ OnLoginSuccess(LoginResult) fires in your script

What's in the package

FieldDescriptionExample
RuntimeThe kit runtime (SsoClientBase, SsoProviderButton, deep link handling).Runtime/bin
SsoSettings.assetPre-created settings asset — just paste your App Key.
ExamplesFull login implementation with UI screens you can copy from.ExampleLoginScript.cs
PrefabsReady-made login button used by the dynamic button system.LoginButton.prefab
Demo scenesTwo working scenes — bare API calls and a complete login UI.DemoLoginWithUI.unity
EditorGetting Started window and build-time deep link injection for Android/iOS.Tools → Pixit → SSO Login Kit
Everything below assumes you already created an app in the dashboard and enabled at least one provider — if not, start with Adding a Provider above. The only value the kit needs from the dashboard is your app's App Key.

Installation & Settings

1

Import the package

Get the OathWall SSO Login Kit from the Unity Asset Store and import it into your project. Everything lands under Assets/PixitGames/SSOLoginKit. After importing, open Tools → Pixit → SSO Login Kit → Getting Started for quick links to this documentation and the dashboard.

2

Configure the settings asset

Select the bundled SsoSettings.asset (or create a new one via Create → PixitGames → SSO Login Kit → Settings) and fill in the fields:

FieldDescriptionExample
SSO Base UrlThe Oathwall SSO endpoint. Leave the default unless told otherwise.https://sso.oathwall.com/auth/
App KeyYour app’s public key from the Oathwall dashboard. Also used as the deep link scheme.mygame
Verbose LogsPrints [SSOLoginKit] logs to the console. Turn off for release builds.on
The App Key is public by design — it identifies your app, it does not authenticate it. Your OAuth client secrets stay on Oathwall's servers and are never shipped inside your game build.
3

Try the demo scene

Open DemoLoginWithUI.unity, press Play and hit a login button. If your providers are configured in the dashboard, the full flow works in the editor — browser sign-in included.


Quick Start

All integration goes through one base class: SsoClientBase. Inherit it, override OnLoginSuccess, and call StartLogin with a provider key. Add the script to a GameObject in your first scene and assign the SsoSettings asset in the inspector.

csharp
using PixitGames.SSOLoginKit;
using UnityEngine;
public class LoginManager : SsoClientBase
{
// Hook these up to your UI buttons.
public void LoginWithGoogle() => StartLogin("google");
public void LoginWithApple() => StartLogin("apple");
public void LoginWithFacebook() => StartLogin("facebook");
public void LoginWithSteam() => StartLogin("steam");
protected override void OnLoginSuccess(LoginResult result)
{
Debug.Log($"Logged in: {result.name} ({result.email}) via {result.provider}");
// result.id is the stable Oathwall identity id — use it as your player key.
}
protected override void OnLoginFailed(string error)
{
base.OnLoginFailed(error);
// Show your retry UI here.
}
}

The LoginResult object

FieldDescriptionExample
idStable Oathwall identity id — the same player keeps this id across sessions.a1b2c3…
providerWhich provider the player signed in with.google
nameDisplay name from the provider, when available.Jane Doe
emailEmail from the provider. Steam does not provide one.[email protected]
pictureAvatar URL, when the provider exposes one.https://…
Provider keys match the dashboard: google, apple, facebook, steam — any provider you enable works with the same StartLogin(key) call.

Provider Buttons

Your login screen should only show providers that are actually enabled. The kit reads your app's live login config (GET /app-config/login-config/:appKey) and offers two ways to build the UI from it.

Option A — generate buttons automatically

csharp
[Header("Dynamic Provider Buttons")]
[SerializeField] private Transform providerButtonContainer;
[SerializeField] private GameObject providerButtonPrefab; // LoginButton.prefab works out of the box
private void Start()
{
// One request fetches every provider enabled in your dashboard,
// then the kit spawns one button per provider — label, icon and
// click handler are wired automatically.
CreateProviderButtons(providerButtonContainer, providerButtonPrefab, true, providers =>
{
Debug.Log($"Loaded {providers.Length} login providers.");
});
}

Option B — design your own buttons

csharp
// Prefer your own button layout? Add the SsoProviderButton component
// to each button and type the provider key (e.g. "google").
// Buttons whose provider is disabled in the dashboard hide themselves.
private void Start()
{
FetchProviderConfig(providers =>
{
Debug.Log("Login config fetched.");
});
}
Enable or disable a provider in the dashboard and your login screen updates on the next launch — no game update required.

Sessions & Silent Login

After a successful login the kit stores the access and refresh tokens locally. Returning players shouldn't see the login screen again:

csharp
public void TrySilentLogin()
{
// Uses the refresh token saved from the previous login.
// Fires OnLoginSuccess on success, OnLoginFailed otherwise —
// call it on startup to skip the login screen for returning players.
SilentLogin();
}

To protect an in-game action (a purchase, a cloud save) without tracking auth state yourself:

csharp
public void BuyItem()
{
// Gate any action behind a valid session. The kit refreshes
// the access token automatically if it has expired.
IsUserAuthenticated((isAuthenticated, user) =>
{
if (!isAuthenticated)
{
ShowLoginScreen();
return;
}
Debug.Log($"Purchase allowed for {user.name}.");
});
}
Sessions are visible — and revocable — per app in the dashboard under Sessions. A revoked session fails the next refresh, and the kit reports it through OnLoginFailed.

Android & iOS Deep Links

After the player signs in, the browser hands control back to your game through a deep link: yourappkey://open?ticket=…. The kit's editor scripts register this link automatically at build time — there is nothing to edit by hand.

Android

A post-build step injects the intent filter into the generated AndroidManifest.xml:

xml
<!-- Added to your Unity activity automatically at build time -->
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="YOUR_APP_KEY" android:host="open" />
</intent-filter>

iOS

The same step adds your scheme to CFBundleURLTypes in the generated Xcode project's Info.plist. Existing URL types are preserved and the scheme is never added twice.

The deep link scheme is derived from your App Key — if the App Key field in SsoSettings is empty at build time, the post-build step skips with a warning and logins won't return to the game.