Epic Games Login in Unity (Epic Online Services, OAuth + PKCE)
If your game lives on the Epic Games Store, or you already lean on Epic Online Services for cross-play, "Sign in with Epic" is the login your players expect. This guide wires it up with OAuth and PKCE — no backend, no client secret baked into your build — and covers what Epic's account API actually hands back, which is less than you might assume.
When Epic login makes sense
Epic login shines in two cases: you distribute through the Epic Games Store, or you use EOS (Epic Online Services) for cross-play, matchmaking, or achievements and want a single account tying it together. In both, the player already has an Epic account, so the sign-in feels native. If you're targeting a wide consumer audience across mobile and PC, treat Epic as one option beside a mainstream provider like Google or Apple rather than the only door in.
One thing to clear up: you do not need to embed the full EOS SDK just to authenticate. Oathwall speaks to Epic's OAuth endpoints over the web, so the player signs in through Epic's account page and returns to your game authenticated. Bring in the EOS SDK later if you want the social and multiplayer features on top.
Step 1: Create an Epic product and client
- Sign in to the Epic Games Developer Portal and create (or open) a product.
- Under the product, open Clients and create a client. Epic gives you a Client ID and Client Secret.
- Set the redirect URL to exactly:
https://sso.oathwall.com/auth/callback
- Make sure the client is allowed the
basic_profilescope — that's what returns the account id and display name.
Step 2: Paste your credentials into Oathwall
In the Oathwall dashboard, add Epic as a provider and paste the Client ID and Client Secret. From here the secret stays server-side. When a player signs in, Oathwall runs the token exchange with HTTP Basic auth (the client id and secret, never shipped to the client) and completes the PKCE handshake for you. Nothing sensitive ends up in your build.
Step 3: Wire it up in Unity
Same base class, same single call as every other provider:
using PixitGames.SSOLoginKit;
public class LoginManager : SsoClientBase
{
// OAuth + PKCE, basic_profile scope. No EOS SDK
// required just to sign in, no secret in the build.
public void OnEpicButton() => StartLogin("epic");
protected override void OnLoginSuccess(LoginResult user)
{
// user.email may be absent; user.id is Epic's account id.
LinkPlayer(user.id, user.name);
}
}
StartLogin("epic") opens Epic's authorization page in the system browser. Oathwall generates the PKCE verifier and challenge, exchanges the code, and reads the account — user.id is Epic's account id, user.name is the display name, and user.email is the account email when Epic returns one.
The gotchas worth knowing
PKCE is mandatory, and it's already handled. Epic's OAuth flow requires PKCE with the S256 method — the authorization code is bound to a one-time secret so it can't be intercepted and replayed. Oathwall generates the verifier and the challenge and finishes the exchange on its servers, so you write zero crypto in Unity. If you want the full picture of why this matters for a game that opens the system browser, PKCE explained walks through the attack it blocks.
Email isn't guaranteed. Epic can return the account email, but depending on the account and scope it may be absent. That's the same discipline Steam forces on you for a different reason — build for the case where there's no email and key your player records on the stable user.id, not the address.
No avatar comes back. Epic's basic profile gives you the account id and display name, not a profile picture. If your UI wants an avatar, use your own default set keyed on the account id rather than expecting one from Epic.
Offering Epic beside a mainstream provider is the usual pattern — Epic for the players who came from the Epic ecosystem, Google or Apple for everyone else. The Unity authentication guide shows several providers sharing one login class, so adding Epic is one more StartLogin call, not another integration project.
Frequently asked questions
- Do I need the Epic Online Services SDK to add Epic login?
- Not for the login itself. Oathwall talks to Epic's OAuth endpoints over the web, so a player signs in through the Epic account page in the system browser and comes back authenticated. You'd still use the EOS SDK if you want matchmaking, achievements, or the social overlay — but sign-in doesn't require it.
- Does Epic login use PKCE?
- Yes. Epic's OAuth flow uses PKCE with the S256 method, so the authorization code can't be intercepted and reused. Oathwall generates the verifier and challenge and completes the exchange server-side — you don't implement any of it in Unity.
- Does Epic return the player's email?
- Sometimes. Epic can return the account email and display name, but email isn't guaranteed for every account or scope configuration. Treat display name as the label and the stable Epic account id as the real key for your player records.
- Is Epic login a good fit for my game?
- It's a strong fit if you ship on the Epic Games Store or already use Epic Online Services for cross-play. Players there have an Epic account and expect to sign in with it. For a broader audience, pair it with Google or Apple.