Authentication

Prerequisites

Create Passport Client

Set up your Passport client in Immutable Hub to get the credentials needed for authentication.

Create Passport Client

Step-by-step guide to creating a Passport client, configuring redirect URIs, and getting your Client ID

You’ll need:

Client ID from your Passport client in Hub
Publishable Key from your Hub project settings

These values are required to initialize Passport in the next section.

Passport Credentials Reference

Field	Type	Description
Client ID	Provided by Hub	Unique identifier for your application. Copy from Hub and use in SDK initialization.
Publishable Key	Provided by Hub	Public key safe for client-side code. Copy from Hub project settings.
Application Type	You configure	Select Web for TypeScript/web apps, Native for Unity/Unreal games.
Application Name	You configure	Identifier for your project inside Passport (e.g., “My Game”).
Redirect URIs	You configure	Where users land after successful authentication. Must exactly match `redirectUri` in your code. Examples: `http://localhost:3000/redirect` (web), `mygame://callback` (native).
Logout URIs	You configure	Where users land after logout. Must exactly match `logoutRedirectUri` in your code. Examples: `http://localhost:3000/logout` (web), `mygame://logout` (native).

Passport uses OpenID Connect (OIDC). Redirect URIs must be exact matches—wildcards aren’t supported for security reasons. Register multiple URIs for different environments (localhost, staging, production).

For complete details on client configuration, see Passport Clients in Hub.

Installation

TypeScript
Unity
Unreal

npm install @imtbl/sdk
# or
yarn add @imtbl/sdk
# or
pnpm add @imtbl/sdk

Install UniTask v2.3.3 or later The UniTask package is a dependency of our SDK.
Install Git LFS
Git LFS must be installed before adding the SDK. The SDK contains .dll files stored in Git LFS that won’t download correctly otherwise.
Add the Immutable SDK:

Package Manager
manifest.json

Open Window → Package Manager
Click + and select Add package from git URL…
Enter https://github.com/immutable/unity-immutable-sdk.git?path=/src/Packages/Passport and click Add

Open your project’s Packages/manifest.json file
Add the following in the dependencies block:

"com.immutable.passport": "https://github.com/immutable/unity-immutable-sdk.git?path=/src/Packages/Passport"

Install a Specific Version

To install a specific version of the SDK using either method above, append # followed by the version tag to the git URL:

https://github.com/immutable/unity-immutable-sdk.git?path=/src/Packages/Passport#v1.0.0

For mobile platforms and WebGL, see Platform Setup.

Install Git LFS
Git LFS must be installed before adding the SDK. The SDK contains .uasset and .umap files stored in Git LFS that won’t download correctly otherwise.
Add the SDK to your project’s Plugins directory:

Clone
Submodule
Download

From your project’s root directory:

git clone https://github.com/immutable/unreal-immutable-sdk.git Plugins/unreal-immutable-sdk

From your project’s root directory:

git submodule add https://github.com/immutable/unreal-immutable-sdk.git Plugins/unreal-immutable-sdk

Download a release, extract, and copy to your project’s Plugins/unreal-immutable-sdk folder.

Restart the Unreal Editor

Your project structure should look like:

Root/
└── Plugins/
    └── unreal-immutable-sdk/

Enable the Immutable module in your Build.cs:

Source/YourGame/YourGame.Build.cs

PublicDependencyModuleNames.AddRange(new string[] {
    "Core", "CoreUObject", "Engine", "InputCore",
    "Immutable"  // Add this
});

For mobile platforms, see Platform Setup.

Initialize Passport

TypeScript
Unity
Unreal

import { Auth, AuthConfiguration } from '@imtbl/auth';
import { Environment } from '@imtbl/config';

export const auth = new Auth(new AuthConfiguration({
  environment: Environment.SANDBOX,
  clientId: process.env.NEXT_PUBLIC_CLIENT_ID || 'YOUR_CLIENT_ID',
  redirectUri: 'http://localhost:3000/redirect',
  logoutRedirectUri: 'http://localhost:3000/logout',
  logoutMode: 'redirect', // or 'silent' - see Logout section for details
  audience: 'platform_api',
  scope: 'openid offline_access email transact',
}));

using Immutable.Passport;

public class GameManager : MonoBehaviour
{
    private Passport passport;

    async void Start()
    {
        // Initialize Passport
        passport = await Passport.Init(
            clientId: "YOUR_CLIENT_ID",
            environment: Immutable.Passport.Model.Environment.SANDBOX,
            redirectUri: "mygame://callback",
            logoutRedirectUri: "mygame://logout"
        );

        // Restore session if available
        if (await passport.HasCredentialsSaved())
        {
            await passport.Login(useCachedSession: true);
        }
    }
}

#include "Immutable/ImmutableSubsystem.h"

void AMyGameMode::BeginPlay()
{
    Super::BeginPlay();

    auto Subsystem = GetGameInstance()->GetSubsystem<UImmutableSubsystem>();
    Passport = Subsystem->GetPassport();

    if (Passport.IsValid())
    {
        FImmutablePassportInitData Data;
        Data.clientId = TEXT("YOUR_CLIENT_ID");
        Data.redirectUri = TEXT("mygame://callback");
        Data.logoutRedirectUri = TEXT("mygame://logout");
        Data.environment = TEXT("sandbox");

        Passport->Initialize(Data,
            FImtblPassportResponseDelegate::CreateUObject(this, &AMyGameMode::OnInitialized));
    }
}

Scopes

Scope	Required	Description
`openid`	✅ Yes	Returns user ID (sub claim)
`offline_access`	✅ Yes	Enables refresh tokens for persistent sessions
`email`	Optional	Access to user’s email address
`transact`	Optional	Permission to sign transactions

TypeScript
Unity
Unreal

For a more streamlined user experience, the standard Passport login prompt can be bypassed by providing the directLoginOptions parameter to the login method. This allows you to render a customised authentication prompt within your own application.Once an authentication option (email, Google, Apple, or Facebook) is passed to the login method, a popup will be opened so that the user can authenticate securely.

// Headless login with email
const user = await auth.login({
  directLoginOptions: {
    directLoginMethod: 'email',
    email: '[email protected]',
    marketingConsentStatus: 'opted_in'
  }
});

// Headless login with specific provider
const user = await auth.login({
  directLoginOptions: {
    directLoginMethod: 'google', // or 'apple', 'facebook'
    marketingConsentStatus: 'opted_in'
  }
});

Option	Description
`directLoginMethod`	The authentication provider (`email`, `google`, `apple`, or `facebook`)
`email`	Required when `directLoginMethod` is `email`, specifies the user’s email address
`marketingConsentStatus`	Marketing consent setting (`opted_in` or `unsubscribed`)

Integrates Passport authentication with EthersJS for wallet connection and interaction.

const provider = await connectWallet({ auth });
const web3Provider = new BrowserProvider(passportProvider);
const accounts = await web3Provider.send('eth_requestAccounts', []);

This implementation uses EthersJS’s BrowserProvider to interact with the Passport provider. It requests user accounts and manages the connection state, displaying the connected account address when successful.The login method can be used to log in a user and retrieve their profile information without connecting to Immutable zkEVM.

const profile: User | null = await auth.login();

This will prompt the user to select an authentication option from within an iFrame, and open a popup to securely complete the authentication process.

The PassportUI prefab provides a seamless, embedded authentication experience that keeps users within your application. This approach offers better user experience and higher conversion rates.

Setting up the PassportUI Prefab

Platform	WebView Package
Windows	Volt Unity Web Browser (UWB) - no additional packages required
iOS/Android/macOS	Vuplex WebView (paid third-party product)

1. Add the PassportUI Prefab to Your SceneChoose the appropriate prefab for your target platform:

PassportLogin_Windows.prefab - For Windows builds using UWB
PassportLogin_Vuplex.prefab - For iOS, Android, and macOS builds using Vuplex

2. Initialize PassportUI

public class MyAuthScript : MonoBehaviour
{
    public PassportUI passportUI;

    async void Start()
    {
        // Initialize with existing Passport instance
        await passportUI.InitializeWithPassport(Passport.Instance);

        // Or initialize PassportUI with automatic Passport creation
        // (uses the clientId/environment/URIs set in the Inspector)
        await passportUI.InitializeWithPassport();
    }
}

3. Handle Authentication Events

void Start()
{
    // Subscribe to authentication events
    Passport.Instance.OnAuthEvent += OnAuthEvent;
}

private void OnAuthEvent(PassportAuthEvent authEvent)
{
    switch (authEvent)
    {
        case PassportAuthEvent.LoginPKCESuccess:
            Debug.Log("User logged in successfully");
            break;
        case PassportAuthEvent.LogoutPKCESuccess:
            Debug.Log("User logged out");
            break;
        case PassportAuthEvent.ReloginSuccess:
            Debug.Log("User re-logged in with cached credentials");
            break;
    }
}

For iOS, Android, and macOS, the embedded WebView requires Vuplex WebView, a paid third-party package. Alternatively, use Standard Login which doesn’t require any WebView.

For a more streamlined user experience, bypass the standard Passport login prompt by providing the DirectLoginOptions parameter:

// Customized login with email
await passport.Login(directLoginOptions: new DirectLoginOptions(
    DirectLoginMethod.Email,
    "[email protected]",
    MarketingConsentStatus.OptedIn
));

// Customized login with specific provider
await passport.Login(directLoginOptions: new DirectLoginOptions(
    DirectLoginMethod.Google // or Apple, Facebook
));

Option	Description
`DirectLoginMethod`	The authentication provider (`Email`, `Google`, `Apple`, or `Facebook`)
`email`	Required when `DirectLoginMethod` is `Email`, specifies the user’s email address
`marketingConsentStatus`	Marketing consent setting (`OptedIn` or `Unsubscribed`)

Use the basic Login() method to show the standard Passport login prompt:

await passport.Login();

This will open an external browser window on desktop or an in-app browser on mobile devices, prompting the user to select an authentication option and complete the authentication process securely.

Stored Credentials

Once the gamer is connected to Passport, the SDK will store credentials (access, ID, and refresh tokens). Use Login(useCachedSession: true) to re-login using saved credentials.

bool hasCredsSaved = await passport.HasCredentialsSaved();
if (hasCredsSaved)
{
    await passport.Login(useCachedSession: true);
    // Successfully re-logged into Passport
}

The Embedded Login uses a pre-built UI that runs inside your game’s Web Browser widget for the identity-only login flow.

UImmutableJSConnectorBrowserWidget* BrowserWidget = ...;
if (UImtblEmbeddedLoginAsyncAction* LoginAsyncAction =
    UImtblEmbeddedLoginAsyncAction::Login(/* WorldContextObject */ this, BrowserWidget))
{
    LoginAsyncAction->Activate();
}

For a more streamlined user experience, bypass the standard Passport login prompt by providing the DirectLoginOptions parameter. Once an authentication option (email, Google, Apple, or Facebook) is passed, a popup will be opened so that the user can authenticate securely.

// Customised login with email
FImmutableDirectLoginOptions EmailOptions;
EmailOptions.DirectLoginMethod = EImmutableDirectLoginMethod::Email;
EmailOptions.Email = TEXT("[email protected]");
EmailOptions.MarketingConsentStatus = EImmutableMarketingConsentStatus::Opted_In;
UImtblConnectionAsyncActions::Login(/* WorldContextObject */ this, EmailOptions);

// Customised login with specific provider
UImtblConnectionAsyncActions::Login(/* WorldContextObject */ this,
    {EImmutableDirectLoginMethod::Google}); // or Apple, Facebook

Option	Description
`DirectLoginMethod`	The authentication provider (`Email`, `Google`, `Apple`, or `Facebook`)
`Email`	Required when `DirectLoginMethod` is `Email`, specifies the user’s email address
`MarketingConsentStatus`	Marketing consent setting (`Opted_In` or `Unsubscribed`)

Use the basic Login() method without any parameters to show the standard Passport login prompt:

UImtblConnectionAsyncActions::Login(/* WorldContextObject */ this);

This will open an external browser window on desktop or an in-app browser on mobile devices, prompting the user to select an authentication option and complete the authentication process securely.

Stored Credentials

Once the gamer is connected to Passport, the SDK will store credentials (access, ID, and refresh tokens).You can use the HasStoredCredentials async action to check if the gamer has stored credentials before deciding whether to show login options in your UI.

The HasStoredCredentials async action is currently Blueprint-compatible only. For C++, use the Passport instance methods directly.

Handle the Callback

On your redirect URI page, process the authentication callback:

React
Vanilla JS

// pages/callback.tsx or app/callback/page.tsx
import { useEffect } from 'react';
import { useRouter } from 'next/router';

export default function Callback() {
  const router = useRouter();

  useEffect(() => {
    async function handleCallback() {
      try {
        await auth.loginCallback();
        router.push('/dashboard');
      } catch (error) {
        console.error('Callback error:', error);
        router.push('/login?error=callback_failed');
      }
    }
    handleCallback();
  }, []);

  return (
    <div className="flex items-center justify-center min-h-screen">
      <p>Completing login...</p>
    </div>
  );
}

// callback.ts
async function handleCallback() {
  try {
    await auth.loginCallback();
    window.location.href = '/dashboard';
  } catch (error) {
    console.error('Callback error:', error);
    window.location.href = '/login?error=callback_failed';
  }
}

handleCallback();

Get User Information

User Profile

TypeScript
Unity

// Get user info from the ID token
const userInfo = await auth.getUserInfo();

console.log({
  userId: userInfo.sub,          // Unique Passport user ID
  email: userInfo.email,         // If email scope granted
  emailVerified: userInfo.email_verified,
});

var userInfo = await passport.GetUserInfo();

Debug.Log($"User ID: {userInfo.Sub}");
Debug.Log($"Email: {userInfo.Email}");

Session Management

Check If Logged In

TypeScript
Unity
Unreal

async function isLoggedIn(): Promise<boolean> {
  return auth.isLoggedIn();
}

async Task<bool> IsLoggedIn()
{
    return await passport.HasCredentialsSaved();
}

Passport->HasStoredCredentials(
    FImtblPassportResponseDelegate::CreateLambda([](FImmutablePassportResult Result) {
        bool hasCredentials = Result.Success && Result.Message.ToBool();
        UE_LOG(LogTemp, Log, TEXT("Has credentials: %s"), hasCredentials ? TEXT("true") : TEXT("false"));
    }));

Get Access Token

For authenticated API calls to your backend:

const accessToken = await auth.getAccessToken();

// Use in API requests
const response = await fetch('/api/user/inventory', {
  headers: {
    Authorization: `Bearer ${accessToken}`,
  },
});

Get ID Token

The ID token contains user identity claims:

const idToken = await auth.getIdToken();
// JWT containing user claims (sub, email, etc.)

Logout

TypeScript
Unity
Unreal

Default behavior - logs out without redirecting.

async function logout() {
  try {
    await passportInstance.logout();
  } catch (error) {
    console.error('Logout failed:', error);
  }
}

Logout with Redirect

To redirect users after logout, configure logoutMode: 'redirect' at initialization, then call logout:

// 1. Configure redirect mode
const passportInstance = new passport.Passport({
  baseConfig: {
    environment: config.Environment.SANDBOX,
    publishableKey: process.env.NEXT_PUBLIC_PUBLISHABLE_KEY,
  },
  clientId: process.env.NEXT_PUBLIC_CLIENT_ID,
  redirectUri: 'http://localhost:3000/redirect',
  logoutMode: 'redirect',
  logoutRedirectUri: 'http://localhost:3000/logout',
  audience: 'platform_api',
  scope: 'openid offline_access email transact',
});

// 2. Call logout - will redirect to logoutRedirectUri
async function logout() {
  try {
    await passportInstance.logout();
  } catch (error) {
    console.error('Logout failed:', error);
  }
}

async void Logout()
{
    try
    {
        // hardLogout: true = clear browser session (default), false = SDK only
        await Passport.Instance.Logout(hardLogout: true);
    }
    catch (Exception ex)
    {
        Debug.LogError($"Logout failed: {ex.Message}");
    }
}

Hard vs Soft Logout:

hardLogout: true (default): Clears SDK session and browser cookies (recommended)
hardLogout: false: Clears SDK session only; browser session persists

void Logout()
{
    // DoHardLogout: true = clear browser session, false = SDK only
    Passport->Logout(/*DoHardLogout=*/true, FImtblPassportResponseDelegate::CreateWeakLambda(this, [](FImmutablePassportResult Result)
    {
        if (Result.Success)
        {
            UE_LOG(LogTemp, Log, TEXT("Logged out successfully"));
        }
        else
        {
            UE_LOG(LogTemp, Error, TEXT("Logout failed"));
        }
    }));
}

Hard vs Soft Logout:

DoHardLogout = true: Clears SDK session and browser cookies (recommended)
DoHardLogout = false: Clears SDK session only; browser session persists

Error Handling

Common Logout Issues:

Error	Cause	Solution
Logout callback timeout	Silent logout page didn’t load	Verify logoutRedirectUri is accessible
Wallet still connected	Cleanup order wrong	Disconnect wallet before passport.logout()
Session persists (Unreal)	Soft logout used	Set DoHardLogout: true

Example (TypeScript):

try {
  await passportInstance.logout();
} catch (error) {
  console.error('Logout failed:', error);
  // Fallback: clear local state anyway
  clearUserState();
}

Backend JWT Validation

Validate Passport JWTs on your server to secure API endpoints.

Node.js with jose

import { createRemoteJWKSet, jwtVerify } from 'jose';

// Create JWKS client (cache this)
const JWKS = createRemoteJWKSet(
  new URL('https://auth.immutable.com/.well-known/jwks.json')
);

export async function validatePassportToken(token: string) {
  try {
    const { payload } = await jwtVerify(token, JWKS, {
      issuer: 'https://auth.immutable.com/',
      audience: 'platform_api',
    });
    
    return {
      valid: true,
      userId: payload.sub,
      email: payload.email,
    };
  } catch (error) {
    return { valid: false, error: error.message };
  }
}

Express Middleware

import { Request, Response, NextFunction } from 'express';

export async function requireAuth(
  req: Request, 
  res: Response, 
  next: NextFunction
) {
  const authHeader = req.headers.authorization;
  
  if (!authHeader?.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Missing token' });
  }
  
  const token = authHeader.slice(7);
  const result = await validatePassportToken(token);
  
  if (!result.valid) {
    return res.status(401).json({ error: 'Invalid token' });
  }
  
  req.user = { id: result.userId, email: result.email };
  next();
}

// Usage
app.get('/api/inventory', requireAuth, (req, res) => {
  const userId = req.user.id;
  // Fetch inventory for this user
});

JWT Claims Reference

Claim	Type	Description
`sub`	string	Unique Passport user ID
`iss`	string	Always `https://auth.immutable.com/`
`aud`	string	Your audience (e.g., `platform_api`)
`exp`	number	Expiration timestamp
`iat`	number	Issued at timestamp
`email`	string	User’s email (if scope granted)
`email_verified`	boolean	Whether email is verified

Error Handling

Handle authentication errors gracefully to provide better user experience:

import { PassportError, PassportErrorType } from '@imtbl/auth';

async function handleLogin() {
  try {
    await auth.login();
    console.log('Login successful');
  } catch (error) {
    if (error instanceof PassportError) {
      switch (error.type) {
        case PassportErrorType.AUTHENTICATION_ERROR:
          console.error('Login failed:', error.message);
          // Show user-friendly error message
          break;
        case PassportErrorType.USER_REGISTRATION_ERROR:
          console.error('User registration failed:', error.message);
          // Handle registration failure
          break;
        case PassportErrorType.WALLET_CONNECTION_ERROR:
          console.error('Wallet connection failed:', error.message);
          // Retry connection or show error
          break;
        default:
          console.error('Unknown error:', error);
      }
    }
    throw error;
  }
}

Common Error Types

Error Type	Description	Recommended Action
`AUTHENTICATION_ERROR`	Login or authentication failed	Ask user to try again or use different provider
`USER_REGISTRATION_ERROR`	User registration failed	Check if user already exists or retry
`WALLET_CONNECTION_ERROR`	Failed to connect wallet	Retry connection or check network
`INVALID_CONFIGURATION`	Invalid Passport configuration	Verify clientId and redirectUri

Next Steps

Framework Setup

Integrate with Next.js, Vite, and other frameworks

Wallet Operations

Connect wallet, send transactions, and sign messages

Architecture

Understand the security model

PRODUCTS

GUIDES

Prerequisites

Create Passport Client

Create Passport Client

Passport Credentials Reference

Installation

Install a Specific Version

Initialize Passport

Scopes

Setting up the PassportUI Prefab

Stored Credentials

Stored Credentials

Handle the Callback

Get User Information

User Profile

Session Management

Check If Logged In

Get Access Token

Get ID Token

Logout

Logout with Redirect

Error Handling

Backend JWT Validation

Node.js with jose

Express Middleware

JWT Claims Reference

Error Handling

Common Error Types

Next Steps

Framework Setup

Wallet Operations

Architecture

PRODUCTS

GUIDES

​Prerequisites

​Create Passport Client

Create Passport Client

​Passport Credentials Reference

​Installation

​Install a Specific Version

​Initialize Passport

​Scopes

​Login

​Headless Login

​Login with EthersJS

​Identity-only Login

​Embedded Login

​Setting up the PassportUI Prefab

​Headless Login

​Standard Login

​Stored Credentials

​Embedded Login

​Headless Login

​Standard Login

​Stored Credentials

​Handle the Callback

​Get User Information

​User Profile

​Session Management

​Check If Logged In

​Get Access Token

​Get ID Token

​Logout

​Logout with Redirect

​Error Handling

​Backend JWT Validation

​Node.js with jose

​Express Middleware

​JWT Claims Reference

​Error Handling

​Common Error Types

​Next Steps

Framework Setup

Wallet Operations

Architecture

Prerequisites

Create Passport Client

Passport Credentials Reference

Installation

Install a Specific Version

Initialize Passport

Scopes

Login

Headless Login

Login with EthersJS

Identity-only Login

Embedded Login

Setting up the PassportUI Prefab

Headless Login

Standard Login

Stored Credentials

Embedded Login

Headless Login

Standard Login

Stored Credentials

Handle the Callback

Get User Information

User Profile

Session Management

Check If Logged In

Get Access Token

Get ID Token

Logout

Logout with Redirect

Error Handling

Backend JWT Validation

Node.js with jose

Express Middleware

JWT Claims Reference

Error Handling

Common Error Types

Next Steps