Secret key management
PlayFab developer secret keys allow your Title to make PlayFab Admin and Server API calls. A secret key, also called a developer key, is strongly coupled with a PlayFab Title.
Using the Secret Keys page in Game Manager, you can create, delete, disable, and set your keys to expire. This enables you to rotate the secret keys for your titles (which was difficult to do in the past.) It also allows you to grant temporary access to your titles.
Never include your developer Secret Key in a client build that you send to your customers. Doing so exposes your title to abuse.
To manage the secret keys for your Title:
- Sign in to Game Manager.
- Select your Title.
- In the upper-right corner, select the gear icon.
- Select Title settings, then select the Secret Keys tab.
The Secret Keys page provides options to Delete keys, view the Status of each key, and its Name, Value, and Expiration time, if it has one. This table lets you audit the keys that are available.
You can rename, enable, disable, or set expirations for existing keys via the dashboard. To see the options for a key, simply select it. Each title starts with a default key.
To rotate your keys:
- Select New Secret Key.
- Enter the Name of the key, and an optional expiration date.
- Update your code to use the new key.
- Disable the old key. Select the old key and then on the Edit Secret Key page, select the Disable checkbox.
- Select SAVE SECRET KEY.
If your old keys are compromised, rotate the keys to return your Title to a secured state.
This flow is zero-downtime, and you can safely roll back each step until you delete the old key. If there are issues at the first step, you can delete your new key. No one should be using it.
At step two, both keys are active, so you can roll your code forward or back safely.
At step three, you can re-enable the key while you fix whatever was still depending on it.
When the process is complete, you do not need to delete the old key. If you delete that key, it cannot be recovered. The delete is permanent and irrevocable.
Setting a key to Expire is useful when you need to give someone temporary access to your Title.
For example, if you have a contractor working on your game, you can give them keys that only have access for as long as you expect them to need it. If they require access beyond the original expected expiration date, you can reset the expiration date to extend the lifetime of the secret key.