Authentication & API Keys
API keys authenticate your game's event traffic to the GameRebellion platform. Each key is scoped to a single game and environment.
Key Lifecycle
| Action | How | Notes |
|---|---|---|
| Create | Platform → Analytics → Your Game → Generate API Key | One key per game-engine pair. Multiple keys per game are supported. |
| View | Platform → Analytics → Your Game → API Keys | Partial key shown for security; full key displayed only on creation. |
| Revoke | Platform → Analytics → Your Game → API Keys → Revoke | Immediately invalidates the key. Events sent with a revoked key are rejected. |
| Rotate | Revoke the old key, then generate a new one | Zero-downtime rotation: generate the new key first, update your build, then revoke the old one. |
warning
There is no "edit" action — keys are immutable strings. To change a key, rotate it (create new → deploy → revoke old).
Best Practices
- Never commit API keys to version control. Use environment variables, Unity's
ScriptableObjectassets excluded from git, or your CI/CD secrets manager. - Rotate keys periodically or immediately if you suspect a leak.
- Use separate keys for Development, Staging, and Production environments to keep data isolated.
- Monitor key usage in the Platform's Analytics dashboard to detect unauthorized traffic.
How Authentication Works
┌────────────┐ X-API-Key header ┌──────────────────┐
│ Your Game │ ────────────────────────▶│ GameRebellion │
│ (SDK) │ │ Ingestion API │
└────────────┘ └──────────────────┘
│
Validate key
Route to game
Ingest events
- The SDK or S2S client sends events with the API key in the
X-API-Keyheader. - The ingestion API validates the key against the database.
- Valid keys route events to the correct game and environment.
- Invalid or revoked keys return
401 Unauthorized.