Game Auth Glossary
Plain-English definitions of the authentication terms game developers actually run into: SSO, OAuth 2.0, PKCE, access and refresh tokens, and more.
Authentication has its own vocabulary, and most of it shows up the moment you try to add login to a game. This glossary defines the terms in plain English, with the game-development context that generic OAuth docs skip — what each concept means when the client is a Unity build on someone's phone rather than a web app on a server.
The fundamentals
Start with what SSO is and OAuth 2.0 explained if the whole model is new to you. PKCE is the piece that makes OAuth safe on a client you can't keep a secret in — which is exactly the situation a shipped game build is in.
Tokens and sessions
Most login bugs are really token bugs. The access vs refresh token and id_token vs access_token entries clear up what your game actually holds and sends. Token storage in Unity covers where to keep them safely per platform, and session management explains what happens on a second login, a logout, or a ban.
The return trip
The other cluster of confusion is getting the player back into your build after they authenticate. Redirect URIs and deep linking in Unity explain the fixed callback the provider talks to and the platform-specific link that hands control back to your game.
- Glossary
Access Tokens vs Refresh Tokens (for Game Developers)
Access token vs refresh token, explained for games — what each one does, how long they last, token rotation, and how to store them safely in Unity.
Jul 1, 20264 min read - Glossary
Deep Linking in Unity (iOS & Android) for OAuth Redirects
How deep linking gets an OAuth login back into a running Unity game — custom URL schemes, iOS Universal Links, Android App Links, and the fallback when the app isn't there.
Jul 1, 20263 min read - Glossary
id_token vs access_token (for Game Developers)
id_token vs access_token, explained for games — one proves who the player is, the other authorizes API calls. Why mixing them up breaks logins, and what Oathwall actually returns.
Jul 1, 20263 min read - Glossary
OAuth 2.0 Explained for Game Developers
OAuth 2.0 in plain terms for game devs — the roles, the authorization code flow, and why your game is a 'public client' that can't hold a secret.
Jul 1, 20264 min read - Glossary
What Is PKCE and Why Your Game Needs It
PKCE explained for game developers — how Proof Key for Code Exchange protects OAuth on devices that can't keep a secret, and where it fits in a Unity login.
Jul 1, 20263 min read - Glossary
What Is a Redirect URI (and how to set one for a game)?
A redirect URI, explained for game developers — what it is, why OAuth needs it, the redirect_uri_mismatch error, and the one value to register for every provider with Oathwall.
Jul 1, 20263 min read - Glossary
Session Management for Games (Keep Players Signed In, Safely)
Session management for games, explained — keeping players signed in across launches and devices, refresh and rotation, revoking sessions, and instant bans with Oathwall.
Jul 1, 20263 min read - Glossary
Securely Storing Auth Tokens in Unity
How to store auth tokens in a Unity game without leaking them — why PlayerPrefs is the wrong place, iOS Keychain and Android Keystore, WebGL limits, and what to protect most.
Jul 1, 20263 min read - Glossary
What Is SSO (Single Sign-On)? A Game Developer's Guide
SSO lets players sign in to your game with an account they already have — Google, Apple, Steam. Here's what single sign-on means and why it matters for games.
Jul 1, 20263 min read
Frequently asked questions
- Why does a game developer need to know these auth terms?
- Because the errors you hit while wiring up login are almost always about one of these concepts — a redirect URI that doesn't match, an access token that expired, a refresh token you stored in the wrong place. Knowing what each piece is makes the difference between guessing and fixing it in a minute.
- What's the difference between an access token and a refresh token?
- An access token is a short-lived credential your game sends with each API call — in Oathwall it's a signed JWT that expires in about an hour. A refresh token is a longer-lived, opaque value you exchange for a fresh access token when the old one runs out, so the player doesn't have to sign in again. They're covered in detail in the access vs refresh token entry.
- Does Oathwall give my game an ID token like Google does?
- No. Providers like Google and Apple issue an id_token, but Oathwall parses that server-side and doesn't pass it to your game. Your build gets an access token and a refresh token; you read the player's profile from the API. The id_token vs access_token entry explains why that separation exists.