Authentication

All requests to the Toffee gCOM API must include your publishable or secret key:

Authorization: Bearer <your_key>

You'll receive this key when you register your game with Toffee gCOM. The publishable key can be safely used in client-side code.

Key Types

Toffee gCOM uses two types of API keys:

Publishable Keys

Usage: Client-side requests (mobile apps, web games)
Security: Safe to expose in client code
Permissions: Can fetch offers

Secret Keys

Usage: Server-side requests only
Security: Keep confidential - server-side only
Permissions: Full API access including sensitive operations

Example Usage

Client-side (Publishable Key)

POST /toffee.v1.OfferService/FetchOffer
Authorization: Bearer pk_test_abc123
Content-Type: application/json

{
  "user_id": "player_42",
  "user_metadata": {
    "level": "15"
  }
}

Server-side (Secret Key)

POST /toffee.v1.OfferService/GetOffer
Authorization: Bearer sk_test_xyz789
Content-Type: application/json

{
  "id": "offer_abc123"
}

Error Handling

Common authentication errors:

unauthorized: Verify your key has the required permissions for the endpoint

Key Types​

Publishable Keys​

Secret Keys​

Example Usage​

Client-side (Publishable Key)​

Server-side (Secret Key)​

Error Handling​