Microsoft Azure PlayFab logo
    • Multiplayer
    • LiveOps
    • Data & Analytics
    • Add-ons
    • For Any Role

      • Engineer
      • Designer
      • Executive
      • Marketer
    • For Any Stage

      • Build
      • Improve
      • Grow
    • For Any Size

      • Solo
      • Indie
      • AAA
  • Runs on PlayFab
  • Pricing
    • Blog
    • Forums
    • Contact us
  • Sign up
  • Sign in
  • Ask a question
  • Spaces
    • PlayStream
    • Feature Requests
    • Add-on Marketplace
    • Bugs
    • API and SDK Questions
    • General Discussion
    • LiveOps
    • Topics
    • Questions
    • Articles
    • Ideas
    • Users
    • Badges
  • Home /
  • General Discussion /
avatar image
Question by zeke · May 31, 2018 at 11:06 PM · apisAuthentication

What is the "Developer secret key" in PlayfabSharedSettings?

It doesn't match the secret key we have for server or admin APIs, and it doesn't match any other key shown in the playfab dashboard. Does the client API use an autogenerated key? What generates this field and what is it used for? Is it shown anywhere in the dashboard?

Comment

People who like this

0 Show 0
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

3 Replies

· Add your reply
  • Sort: 
avatar image
Best Answer

Answer by 1807605288 · Jul 01, 2018 at 11:29 PM

Hello everyone. It is good that you are concerned about the security of your title and your game, and I have carefully tested the situation you're asking about.

Here's the line of code that is concerning to everybody: https://github.com/PlayFab/UnitySDK/blob/master/ExampleTestProject/Assets/PlayFabSDK/Shared/Models/PlayFabSharedSettings.cs#L12

You can note the conditions where the value exists, and when it does not:
#ifENABLE_PLAYFABSERVER_API||ENABLE_PLAYFABADMIN_API||UNITY_EDITOR

UNITY_EDITOR exists anytime you're in the editor itself. And that's why you can still see the value.

I've tested this condition in the past and determined it's safe for client builds.

You can repeat my steps like this:

  • In the EdEx panel, ensure that CLIENT is the only enabled API. (Entity can be enabled or disabled, it won't affect it either way).
  • If you read all your local EDITOR files, such as the scriptable object, you'll see that developerSecretKey continues to exist. This is expected.
  • If you make a client build, and enter the resources folder, open the <your_game>_data/resources.assets file in a binary hex editor (I used Beyond Compare 4).
  • Search for your titleID, and it should clearly appear in the file, and you should see most of your other PlayFabSharedSettings values there. DeveloperSecretKey will not be there.
  • Search other binary files, and you should not find any other PlayFabSharedSettings information
  • Thus, you can confirm that you've found the right place in the right file, and that you won't accidentally publish your server secret to your clients.

This was tested earlier this year, with Unity 2017, a little before the release of 2018.

[UPDATE] I just retested with 2018.1.0b13 (My home computer is slightly out of date), and found that this is still true. I also made the test instructions a little clearer.

Comment
zeke
Trisibo
goldbug

People who like this

3 Show 1 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Trisibo · Jul 01, 2018 at 11:53 PM 0
Share

Well, just checking that ScriptableObject's code would have made that clear to me in a just a few seconds instead of losing my time, and worse, making others lose theirs. I don't know why I didn't do that first. Thanks, and my most sincere apologies, @Paul Gilmore and @Brendan

avatar image

Answer by pfnathan · Jun 01, 2018 at 03:44 AM

Please have a look at https://community.playfab.com/questions/810/209678127-Developer-Secret-Key-Title-ID.html

Comment

People who like this

0 Show 24 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image zeke · Jun 01, 2018 at 03:47 AM 0
Share

It sounds like the implication is that it's the server+admin api key - if that's true, why doesn't it match the API key that's shown in the playfab dashboard, the one we use for our other tooling?

avatar image Brendan ♦♦ zeke · Jun 01, 2018 at 06:44 AM 0
Share

The developer secret key should be your Secret Key from the Game Manager. It sounds like you're saying you're seeing something pre-populated, which shouldn't be the case. What exactly are you seeing in your developer secret key in your project?

avatar image Trisibo Brendan ♦♦ · Jun 29, 2018 at 06:17 PM 1
Share

I also have the "DeveloperSecretKey" in the "PlayFabSharedSettings" asset, after just selecting the studio in the editor extensions. I only have the client API enabled (no admin, server, etc.) From what you said, I assume that key shouldn't go anywhere near a public build; however, the "PlayFabSharedSettings" asset is in a "Resources" folder, so it will be added to builds with the key inside. What should I do in this case?

Show more comments
Show more comments
avatar image dreadwolf zeke · Aug 02, 2018 at 03:24 PM 0
Share

I am also interested in knowing how to deal with PlayFabSharedSettings in the Resources folder. I need ENABLE_PLAYFABADMIN_API to be enabled in editor and I was surprised when I realized admin calls also worked in play mode and on device. I could turn off ENABLE_PLAYFABADMIN_API when we ship, but I think the developer key would still be compiled into the app because it's in the Resources folder. I think I will need to fix this unless someone confirms that it doesn't work the way I think it does.

avatar image dreadwolf dreadwolf · Aug 02, 2018 at 03:28 PM 0
Share

Oops, I meant to reply to @Trisibo. Can't figure out how to fix it.

Show more comments
Show more comments
avatar image

Answer by Denzie Gray · Jan 11 at 07:15 PM

@Brendan

Is this issue still in effect? The project has the Developer Secret Key and I don't see anyway to remove it. I assume it is stripped out on build - is that not the case?

Using the latest Editor extension

Comment

People who like this

0 Show 6 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Brendan ♦♦ · Jan 11 at 09:42 PM 0
Share

What issue are you referring to? The Unity build will only contain the Secret Key if one of the flags Paul mentioned is set in the code.

avatar image Denzie Gray Brendan ♦♦ · Jan 13 at 08:22 PM 0
Share

@Brendan I was just asking for further clarification because in an older thread you mentioned a removing the key when I asked something similar despite the key being auto-generated.

avatar image Brendan ♦♦ Denzie Gray · Jan 13 at 10:53 PM 0
Share

Yes, you should always make sure no Secret Key is shipped in your project. Since we support a wide variety of development engines and languages, the specifics of that are going to vary from project to project. If you're using our Unity SDK and Editor Extensions, the info from Paul above would be the right guidance.

Show more comments

Your answer

Hint: You can notify a user about this post by typing @username

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Navigation

Spaces
  • General Discussion
  • API and SDK Questions
  • Feature Requests
  • PlayStream
  • Bugs
  • Add-on Marketplace
  • LiveOps
  • Follow this Question

    Answers Answers and Comments

    7 People are following this question.

    avatar image avatar image avatar image avatar image avatar image avatar image avatar image

    Related Questions

    Login best practices for Desktop platforms 1 Answer

    Google sign in error: redirect_uri_mismatch,Google Sign In - redirect_uri_mismatch 1 Answer

    Using Unity 5.6+ and FB? You may want to take a look here 1 Answer

    Different between LinkGameCenterAccount and LoginWithGameCenter 2 Answers

    Not quite sure what I'm doing wrong with Photon integration (from lobby/init) 3 Answers

    PlayFab

    • Multiplayer
    • LiveOps
    • Data & Analytics
    • Runs on PlayFab
    • Pricing

    Solutions

    • For Any Role

      • Engineer
      • Designer
      • Executive
      • Marketer
    • For Any Stage

      • Build
      • Improve
      • Grow
    • For Any Size

      • Solo
      • Indie
      • AAA

    Engineers

    • Documentation
    • Quickstarts
    • API Reference
    • SDKs
    • Usage Limits

    Resources

    • Forums
    • Contact us
    • Blog
    • Service Health
    • Terms of Service
    • Attribution

    Follow us

    • Facebook
    • Twitter
    • LinkedIn
    • YouTube
    • Sitemap
    • Contact Microsoft
    • Privacy & cookies
    • Terms of use
    • Trademarks
    • Safety & eco
    • About our ads
    • © Microsoft 2020
    • Anonymous
    • Sign in
    • Create
    • Ask a question
    • Create an article
    • Post an idea
    • Spaces
    • PlayStream
    • Feature Requests
    • Add-on Marketplace
    • Bugs
    • API and SDK Questions
    • General Discussion
    • LiveOps
    • Explore
    • Topics
    • Questions
    • Articles
    • Ideas
    • Users
    • Badges