We’ve been developing a game with Convai unity SDK for a while and now we’ve started planning how we would ship it to a public store.
I’m concerned about the security issues regarding the unity sdk, the convai API key is built into the game so any player could discover and expose it. We’re thinking about solving this issue by creating our own server proxy to handle convai calls and deliver it back to player, never exposing our API keys.
We wanted to make sure we’re not missing anything, does convai has any native features/systems to solve this issue?
Thank you, but can you tell me if there’s a safe way to secure our API keys in a unity build using convai native tools? Or if the proxy server approach is the right call. I need to know so we can start working on the proxy if that’s the safe option.
Yes, using a server-side approach is the recommended safe option if you want to avoid exposing your Convai API key in a Unity client build.
Instead of placing the API key directly in the build, you can generate a temporary access token from your backend and pass that token to the client. The token is valid for a limited time, and the API key remains securely stored on your server.
You can follow this guide for the access token flow:
In short, your backend should use the Convai API key to generate an apiAuthToken, then the Unity/WebRTC client can use that token instead of the API key. This is safer than shipping the API key inside the Unity build.
This is very helpful. I didn’t know convai could generate temporary keys, we were planning on making the entire convai communication in our server and only delivering results back to player. Thank you