Session keys are cryptographic keys used to establish a secure connection between a player's device, the game server and the user's web3 account. They are generated inside the player's device and are used to authenticate requests from the player. Session keys are short-lived and typically expire after a certain period of inactivity or when the player logs out.
These keys permit users to interact with an app based on predefined conditions, such as duration, token spending limits, post frequency, or other app-specific functions.
Understanding Session Keys
Apps can incorporate a layered security model that grants tiered access to session keys, ensuring the safety of a user's funds and assets, and preventing unauthorized access via session keys.
Incorporating session keys into web3 games offers several advantages:
- Security: Session Keys are scoped, and smart contracts can dictate which instructions a specific session key can accept. By storing expiry and access information at the contract level, session keys become less vulnerable to security risks. Additionally, layered security further protects user assets.
- User Experience (UX): Session keys significantly improve crypto UX by eliminating the need for constant wallet popups while a user performs actions within a dApp for a specified duration.
- Interoperability: Session keys function at the contract level, allowing users to continue using their preferred browser wallets while interacting with a dApp that supplies a session key in the background. This maintains app interoperability and enhances UX.
Let's explore the four major steps involved in this process.
- When players log in, they should generate a session key on their device and send it to your game server.
- The sensitive part of the session key (session private key) is always securely stored on the player's device and should never be disclosed.
- The player should include the public part of the session key in subsequent requests from the player's device to the game server for authentication. Such requests should be digitally signed by the secret part of the session key.
- On the game server, validate the session key and the signature before processing the request.
- Periodically refresh the session key during the player's session to maintain security.
- Players can invalidate the session key whenever they want, e.g.: after logging out or after a certain period of inactivity.
Use Cases for Session Keys
Session Keys enable a plethora of use cases, allowing developers to create web2-style user flows while harnessing the power of crypto and its native capabilities.
Some potential use cases include:
- User-friendly social media apps without interruptions.
- Rearranging assets within a wallet/inventory without having to confirm each time you make a change, just when you have completed their arrangement.
- Seamless gaming experiences with in-app NFTs.
- User friendly and uninterrupted playing of games.
- Layered security models for all crypto apps.