Photon is able to encrypt messages between client and server, which is a must-have for sending authentication input or other sensible user-data.

On the other hand, encryption causes quite some overhead, so it's used sparingly and not exposed that much in our APIs.

For example: In our default logic, these go to all players of a room, so the content can't be too secret to send openly. So events are not encrypted by default.

Our client SDKs use it only for authentication. As developer, you can use it per message.

Technical Details

When you use Photon LoadBalancing or PUN, the API will automatically exchange encryption keys between client and server. This is done via Diffie-Hellman Key Exchange when the client connects.

The 160 bit key is then used for AES encryption on demand.

Once a client is authenticated, the server will issue a Token, an encrypted summary of the client's auth values to be used on other servers. The Token does not need to be read by the client.

Token Refresh

By default Photon tokens expire after 1 hour but in most cases they are refreshed for the client automatically. The refresh happens in two cases:

  1. when switching from Master Server to Game Server, if you create or join a room.
  2. as long as the client keeps raising events inside the room. However, if a client stays inside a room for more than 1 hour without raising any event the token will not be refreshed and will expire. The client may stay longer on the Game Server without any issues. It will get disconnected due to an authentication error when trying to go back to the Master Server after leaving the room. The solution to the issue is to reconnect and authenticate again.

Other Security Recommendations

If you use Custom Authentication, Webhooks or WebRPCs, make sure to use HTTPS instead of HTTP. Also in Custom Authentication, you should prefer POST over GET. And if you combine Custom Authentication and Webhooks or WebRPCs you could make use of AuthCookie.

If you use Unity's WebGL export to connect to Photon Cloud, the client will connect via Secure WebSockets. We recommend the use of WSS over WS when self hosting as well.

Encryption in PUN

In PUN, you can call RPCs in a secure way by calling RpcSecure()on some PhotonView.

Encryption Of Operations

In all C# APIs, we have a class called PhotonPeer. It is a lower level class which offers a method OpCustom(). This is the basis for all operation calls a client does an it has a parameter for encryption.

In PUN, the PhotonNetwork.networkingPeer is a PhotonPeer. In LoadBalancing, it's the LoadBalancingClient.loadBalancingPeer.

Use OpCustom() with the encrypt-parameter set to true if needed.

Manually Establish Encryption

If you use the LoadBalancing API or PUN, you don't need to do this manually. Only if you start your client from scratch, you have to establish encryption after connecting.

In best case, call peer.EstablishEncryption() in OnStatusChanged like this:

    public void OnStatusChanged(StatusCode returnCode)
        // handle returnCodes for connect, disconnect and errors (non-operations)
        switch (returnCode)
            case StatusCode.Connect:
                // ...

The library takes care of sending and handling the required keys. When this finishes, the client library will call OnStatusChanged with either of these codes:

    public void OnStatusChanged(StatusCode returnCode)
        // handle returnCodes for connect, disconnect and errors (non-operations)
        switch (returnCode)
            // ... 

            case StatusCode.EncryptionEstablished:
                // encryption is now available
                // this is used per operation call
            case StatusCode.EncryptionFailedToEstablish:
                // if this happens, get in contact with Exit Games

 To Document Top