> ## Documentation Index
> Fetch the complete documentation index at: https://docs.immutable.com/llms.txt
> Use this file to discover all available pages before exploring further.

# FAQ

# Frequently Asked Questions

Common questions and solutions for authentication, BLUI, platform issues, and integration with the Unreal SDK.

## Platform & Technical Setup

<Accordion title="Is PKCE login supported for Windows?">
  As of 6 May 2025, PKCE is supported on Windows (alpha release). Prior to this date, PKCE was only available on Android, iOS, and macOS.

  | Date               | Event                            |
  | ------------------ | -------------------------------- |
  | Before May 6, 2025 | PKCE only on Android, iOS, macOS |
  | May 6, 2025        | PKCE Windows support (alpha)     |
  | July 1, 2025       | Device Code Authorization sunset |

  <Warning>
    Device Code Authorization will be sunset on July 1, 2025 across all platforms. Migrate to PKCE before this date.
  </Warning>

  We strongly recommend developers begin migrating to PKCE to ensure a smooth transition before the sunset date.
</Accordion>

<Accordion title="Why do I need to disable the WebBrowserWidget plugin to use BLUI?">
  Both BLUI and Epic's WebBrowserWidget plugin utilise the Chromium Embedded Framework (CEF) in the background. The Immutable plugin requires CEF to run its internal libraries, including player/gamer authentication procedures. In Unreal Engine 4, the CEF libraries are outdated and cannot execute the source code of the internal libraries. Therefore, we require the BLUI plugin to be used instead of the WebBrowserWidget plugin.

  | Platform  | CEF Version Needed | UE4 WebBrowserWidget | BLUI Plugin  |
  | --------- | ------------------ | -------------------- | ------------ |
  | Windows   | CEF 90+            | ❌ Outdated           | ✅ Up-to-date |
  | Android   | N/A                | ✅ Native WebView     | N/A          |
  | iOS/macOS | N/A                | ✅ WKWebView          | N/A          |

  <Info>
    Unreal Engine 5 may have updated CEF libraries. Check your UE version's CEF version if using UE5.
  </Info>
</Accordion>

<Accordion title="Why am I experiencing issues using the Xsolla plugin?">
  This issue is known and occurs with Unreal Engine 4.26 and 4.27. If you are having trouble running the [Xsolla](https://github.com/xsolla/store-ue4-sdk) plugin with the Immutable Unreal SDK and [BLUI](https://github.com/immutable/BLUI-Unreal/tree/Imtbl4.2) plugins enabled, it is because of a conflict between Chromium Embedded Framework browser processes.

  Our Immutable plugin needs the [BLUI](https://github.com/immutable/BLUI-Unreal/tree/Imtbl4.2) plugin to be enabled (see the "Why do I need to disable the WebBrowserWidget plugin to use BLUI?" section above). However, the [Xsolla](https://github.com/xsolla/store-ue4-sdk) plugin also requires Chromium Embedded Framework to run and relies on Epic's WebBrowser module for that, which leads to conflicts when both plugins are used together.

  | Plugin        | CEF Requirement        | Implementation             |
  | ------------- | ---------------------- | -------------------------- |
  | Immutable SDK | Requires BLUI          | Uses BLUI's CEF            |
  | Xsolla SDK    | Requires WebBrowser    | Uses Epic's WebBrowser CEF |
  | Result        | ❌ Both plugins enabled | CEF process conflict       |

  <Warning>
    This is a known limitation with UE 4.26 and 4.27. No perfect solution exists without engine or plugin modifications.
  </Warning>

  **Workarounds:**

  1. Use only one plugin at a time (not ideal for production)
  2. Upgrade to Unreal Engine 5 (may resolve CEF conflicts)
  3. Contact Xsolla support for alternative integration methods
</Accordion>

## Regional Support

<Accordion title="What regions are supported?">
  The Immutable Game SDK supports only the regions that Immutable Passport supports.

  Passport is a globally available product. However, our wallet infrastructure is subject to the regulation of the US Department of the Treasury's Office of Foreign Assets Control ("OFAC"). OFAC administers and enforces comprehensive and targeted economic and trade sanctions programs on multiple countries and regions.

  Users attempting to access Passport in any of the regions under OFAC sanction will have their access blocked and will be unable to use our product. Additionally, components of Passport's infrastructure also rely on technology provided by [Magic](https://magic.link/), which maintains further details regarding unsupported regions on their website [here](https://help.magic.link/knowledge/prohibited-regions).
</Accordion>

## Authentication

<Accordion title="Can I use a WebView instead of the system browser for login?">
  This is not possible due to security reasons. Vendors like Google also block login through webviews because the hosting applications can steal credentials.

  <Warning>
    Never use WebView for authentication. It's a security risk and violates OAuth best practices.
  </Warning>

  See the "Why is the in-app browser used for Passport login on mobile and not a webview?" section below for more details.
</Accordion>

<Accordion title="Why is the in-app browser used for Passport login on mobile and not a webview?">
  The in-app browser is specifically designed for single sign-on (SSO) purposes, making it a much more secure option. This browser runs on a separate process from the hosting game, meaning the game cannot access it, modify any content, or inject malicious code.

  | Feature                    | In-App Browser     | WebView               |
  | -------------------------- | ------------------ | --------------------- |
  | Process isolation          | ✅ Separate process | ❌ Same process as app |
  | App can inject code        | ❌ No               | ✅ Yes (security risk) |
  | App can intercept requests | ❌ No               | ✅ Yes (security risk) |
  | Designed for SSO           | ✅ Yes              | ❌ No                  |

  WebView gives the hosting game full control, allowing it to intercept requests and inject JavaScript. This is why OAuth providers like Google block WebView authentication.

  **Platform implementations:**

  * Android: [Chrome Custom Tabs](https://developer.chrome.com/docs/android/custom-tabs)
  * iOS/macOS: [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession)
</Accordion>

<Accordion title="iOS shows 'Wants to Use immutable.com to Sign In' alert">
  To securely implement PKCE, we must use `ASWebAuthenticationSession`, which shows an alert. This alert cannot be removed or modified as the operating system triggers it.

  <Warning>
    This is a security feature designed to protect users from unauthorized authentication attempts. Any attempt to bypass it will cause app rejection.
  </Warning>

  [Learn more about ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession)
</Accordion>

<Accordion title="Error 403: disallowed_useragent when logging in with Google">
  This error occurs because you are attempting to log in using a WebView instead of a browser. Google blocks authentication attempts from WebViews because they can be exploited to steal user credentials. The hosting app has full control over WebView content, including the ability to inject JavaScript and intercept requests.

  Use the system browser or in-app browser (SFSafariViewController/Chrome Custom Tabs) instead of WebView. The SDK uses the system browser by default.

  Refer to the "Can I use a WebView instead of the system browser for login?" section above for more information.
</Accordion>

<Accordion title="Why custom URL schemes instead of Universal Links?">
  Custom URL schemes are used because [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession) doesn't reliably trigger Universal Links after authentication. Universal Links depend on Safari's verification process, which can be inconsistent. Custom URL schemes ensure immediate redirection to the app and a reliable experience.

  This approach is secure because [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession) ensures that only the calling app receives the callback even if other apps register the same custom URL scheme. This prevents callback interception by other apps and ensures the security of the authentication process.
</Accordion>

## Integration & Usage

<Accordion title="Can I use the SDK for crafting?">
  You can use the zkEVM Send Transaction function in the SDK to call your smart contract crafting function.

  <Info>
    Crafting typically involves calling a smart contract that burns input NFTs and mints a new crafted NFT.
  </Info>
</Accordion>

<Accordion title="I use a custom engine. How can I integrate with Immutable?">
  Yes! The Unity and Unreal SDKs share a common architecture that you can adapt for custom game engines.

  See the [Game Bridge Architecture](/docs/sdks/game-bridge-architecture) documentation for more details.
</Accordion>

## Still Need Help?

If your question isn't answered here, check the [Unreal SDK overview](/docs/sdks/unreal/overview) for implementation guides.

## Next Steps

<CardGroup cols={2}>
  <Card title="Unreal SDK" icon="gamepad" href="/docs/sdks/unreal/overview">
    Return to SDK documentation
  </Card>

  <Card title="Passport" icon="id-card" href="/docs/products/passport/overview">
    Learn about Passport authentication
  </Card>

  <Card title="Hub" icon="wrench" href="/docs/products/hub/overview">
    Set up your project in Hub
  </Card>

  <Card title="Checkout" icon="credit-card" href="/docs/products/checkout/overview">
    Integrate wallet funding
  </Card>
</CardGroup>