OathWall

Game Auth Glossary

Plain-English definitions of the authentication terms game developers actually run into: SSO, OAuth 2.0, PKCE, access and refresh tokens, and more.

Authentication has its own vocabulary, and most of it shows up the moment you try to add login to a game. This glossary defines the terms in plain English, with the game-development context that generic OAuth docs skip — what each concept means when the client is a Unity build on someone's phone rather than a web app on a server.

The fundamentals

Start with what SSO is and OAuth 2.0 explained if the whole model is new to you. PKCE is the piece that makes OAuth safe on a client you can't keep a secret in — which is exactly the situation a shipped game build is in.

Tokens and sessions

Most login bugs are really token bugs. The access vs refresh token and id_token vs access_token entries clear up what your game actually holds and sends. Token storage in Unity covers where to keep them safely per platform, and session management explains what happens on a second login, a logout, or a ban.

The return trip

The other cluster of confusion is getting the player back into your build after they authenticate. Redirect URIs and deep linking in Unity explain the fixed callback the provider talks to and the platform-specific link that hands control back to your game.

Frequently asked questions

Why does a game developer need to know these auth terms?
Because the errors you hit while wiring up login are almost always about one of these concepts — a redirect URI that doesn't match, an access token that expired, a refresh token you stored in the wrong place. Knowing what each piece is makes the difference between guessing and fixing it in a minute.
What's the difference between an access token and a refresh token?
An access token is a short-lived credential your game sends with each API call — in Oathwall it's a signed JWT that expires in about an hour. A refresh token is a longer-lived, opaque value you exchange for a fresh access token when the old one runs out, so the player doesn't have to sign in again. They're covered in detail in the access vs refresh token entry.
Does Oathwall give my game an ID token like Google does?
No. Providers like Google and Apple issue an id_token, but Oathwall parses that server-side and doesn't pass it to your game. Your build gets an access token and a refresh token; you read the player's profile from the API. The id_token vs access_token entry explains why that separation exists.