Frequently Asked Questions
Common questions and solutions for authentication, BLUI, platform issues, and integration with the Unreal SDK.Platform & Technical Setup
Is PKCE login supported for Windows?
Is PKCE login supported for Windows?
As of 6 May 2025, PKCE is supported on Windows (alpha release). Prior to this date, PKCE was only available on Android, iOS, and macOS.
We strongly recommend developers begin migrating to PKCE to ensure a smooth transition before the sunset date.
| Date | Event |
|---|---|
| Before May 6, 2025 | PKCE only on Android, iOS, macOS |
| May 6, 2025 | PKCE Windows support (alpha) |
| July 1, 2025 | Device Code Authorization sunset |
Why do I need to disable the WebBrowserWidget plugin to use BLUI?
Why do I need to disable the WebBrowserWidget plugin to use BLUI?
Both BLUI and Epic’s WebBrowserWidget plugin utilise the Chromium Embedded Framework (CEF) in the background. The Immutable plugin requires CEF to run its internal libraries, including player/gamer authentication procedures. In Unreal Engine 4, the CEF libraries are outdated and cannot execute the source code of the internal libraries. Therefore, we require the BLUI plugin to be used instead of the WebBrowserWidget plugin.
| Platform | CEF Version Needed | UE4 WebBrowserWidget | BLUI Plugin |
|---|---|---|---|
| Windows | CEF 90+ | ❌ Outdated | ✅ Up-to-date |
| Android | N/A | ✅ Native WebView | N/A |
| iOS/macOS | N/A | ✅ WKWebView | N/A |
Unreal Engine 5 may have updated CEF libraries. Check your UE version’s CEF version if using UE5.
Why am I experiencing issues using the Xsolla plugin?
Why am I experiencing issues using the Xsolla plugin?
This issue is known and occurs with Unreal Engine 4.26 and 4.27. If you are having trouble running the Xsolla plugin with the Immutable Unreal SDK and BLUI plugins enabled, it is because of a conflict between Chromium Embedded Framework browser processes.Our Immutable plugin needs the BLUI plugin to be enabled (see the “Why do I need to disable the WebBrowserWidget plugin to use BLUI?” section above). However, the Xsolla plugin also requires Chromium Embedded Framework to run and relies on Epic’s WebBrowser module for that, which leads to conflicts when both plugins are used together.
Workarounds:
| Plugin | CEF Requirement | Implementation |
|---|---|---|
| Immutable SDK | Requires BLUI | Uses BLUI’s CEF |
| Xsolla SDK | Requires WebBrowser | Uses Epic’s WebBrowser CEF |
| Result | ❌ Both plugins enabled | CEF process conflict |
- Use only one plugin at a time (not ideal for production)
- Upgrade to Unreal Engine 5 (may resolve CEF conflicts)
- Contact Xsolla support for alternative integration methods
Regional Support
What regions are supported?
What regions are supported?
The Immutable Game SDK supports only the regions that Immutable Passport supports.Passport is a globally available product. However, our wallet infrastructure is subject to the regulation of the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”). OFAC administers and enforces comprehensive and targeted economic and trade sanctions programs on multiple countries and regions.Users attempting to access Passport in any of the regions under OFAC sanction will have their access blocked and will be unable to use our product. Additionally, components of Passport’s infrastructure also rely on technology provided by Magic, which maintains further details regarding unsupported regions on their website here.
Authentication
Can I use a WebView instead of the system browser for login?
Can I use a WebView instead of the system browser for login?
This is not possible due to security reasons. Vendors like Google also block login through webviews because the hosting applications can steal credentials.See the “Why is the in-app browser used for Passport login on mobile and not a webview?” section below for more details.
Why is the in-app browser used for Passport login on mobile and not a webview?
Why is the in-app browser used for Passport login on mobile and not a webview?
The in-app browser is specifically designed for single sign-on (SSO) purposes, making it a much more secure option. This browser runs on a separate process from the hosting game, meaning the game cannot access it, modify any content, or inject malicious code.
WebView gives the hosting game full control, allowing it to intercept requests and inject JavaScript. This is why OAuth providers like Google block WebView authentication.Platform implementations:
| Feature | In-App Browser | WebView |
|---|---|---|
| Process isolation | ✅ Separate process | ❌ Same process as app |
| App can inject code | ❌ No | ✅ Yes (security risk) |
| App can intercept requests | ❌ No | ✅ Yes (security risk) |
| Designed for SSO | ✅ Yes | ❌ No |
- Android: Chrome Custom Tabs
- iOS/macOS: ASWebAuthenticationSession
iOS shows 'Wants to Use immutable.com to Sign In' alert
iOS shows 'Wants to Use immutable.com to Sign In' alert
To securely implement PKCE, we must use
ASWebAuthenticationSession, which shows an alert. This alert cannot be removed or modified as the operating system triggers it.Learn more about ASWebAuthenticationSessionError 403: disallowed_useragent when logging in with Google
Error 403: disallowed_useragent when logging in with Google
This error occurs because you are attempting to log in using a WebView instead of a browser. Google blocks authentication attempts from WebViews because they can be exploited to steal user credentials. The hosting app has full control over WebView content, including the ability to inject JavaScript and intercept requests.Use the system browser or in-app browser (SFSafariViewController/Chrome Custom Tabs) instead of WebView. The SDK uses the system browser by default.Refer to the “Can I use a WebView instead of the system browser for login?” section above for more information.
Why custom URL schemes instead of Universal Links?
Why custom URL schemes instead of Universal Links?
Custom URL schemes are used because ASWebAuthenticationSession doesn’t reliably trigger Universal Links after authentication. Universal Links depend on Safari’s verification process, which can be inconsistent. Custom URL schemes ensure immediate redirection to the app and a reliable experience.This approach is secure because ASWebAuthenticationSession ensures that only the calling app receives the callback even if other apps register the same custom URL scheme. This prevents callback interception by other apps and ensures the security of the authentication process.
Integration & Usage
Can I use the SDK for crafting?
Can I use the SDK for crafting?
You can use the zkEVM Send Transaction function in the SDK to call your smart contract crafting function.
Crafting typically involves calling a smart contract that burns input NFTs and mints a new crafted NFT.
I use a custom engine. How can I integrate with Immutable?
I use a custom engine. How can I integrate with Immutable?
Yes! The Unity and Unreal SDKs share a common architecture that you can adapt for custom game engines.See the Game Bridge Architecture documentation for more details.