Authentication

The INVO Network API authenticates server-to-server requests with a single header:X-Game-Secret-Key. Every game has its own SDK key issued at registration. Send the key on every API request.

Server-to-Server Authentication

Set the SDK key on every request. No login flow, no token refresh, no cookies.

X-Game-Secret-Key: ivsdk_{your_sdk_key}

Server-side only. Never embed your SDK key in client builds, mobile apps, or browser code.

Game Server → Invo API

Your game backend calls Invo with X-Game-Secret-Key. This is the only auth pattern game engines should use.

Developer Console (Browser)

The developer dashboard at console.invo.network uses session-based login for the human accessing the UI — separate from API auth.

One Key Per Game

Each registered game has a unique secret_key in the format ivsdk_<random>. Different games on the same account get different keys.

Sandbox + Production

Two fully isolated environments with independent SDK keys. Use /sandbox/api/... for testing, /api/... for production.

Quick Example

A complete authenticated call. Replace ivsdk_YOUR_SDK_KEY with the key from your game registration.

Authenticated Request
// Production
const BASE_URL = 'https://invo.network';
// Sandbox: const BASE_URL = 'https://sandbox.invo.network/sandbox';

const SDK_KEY = process.env.INVO_SDK_KEY; // ivsdk_<random>

const response = await fetch(
  `${BASE_URL}/api/player-balances/player/by-email/player@example.com`,
  {
    headers: { 'X-Game-Secret-Key': SDK_KEY }
  }
);

const data = await response.json();
console.log(data);

Server-Side Only

Your SDK key authorises every API call as your game. Anyone holding it can move your players' balances. Treat it like a database password.

  • ✅ Store in your server's environment variables / secrets manager
  • ✅ Make API calls from your game backend, never directly from client builds
  • ❌ Never commit it to source control
  • ❌ Never bundle it into a Unity/Unreal/mobile build
  • ❌ Never include it in HTML/JavaScript served to a browser

Getting Your SDK Key

SDK keys are issued automatically when you register a game. Choose the environment that matches your stage:

🚀 Production

Register at:

console.invo.network

Live games, real-money transactions.

🧪 Sandbox (Testing)

Register at:

dev.console.invo.network

Test with virtual cards. No real money. Independent database.

1

Create your developer account

Email verification, password, profile, ToS acceptance.

2

Register your game

Game registration wizard: art, name, genre, platforms, transfer policy.

3

Copy your SDK key

Format: ivsdk_<random>. Shown in the game settings page; rotate any time it leaks.

4

Start making API calls

Send X-Game-Secret-Key on every request from your game server.

Core Endpoints

A handful of endpoints cover most integrations. Auth header is the same on all of them.

Common API Calls
const SDK_KEY = process.env.INVO_SDK_KEY;
const BASE = 'https://invo.network';

// Get player's currency balance (auto-creates if writing flow runs first)
async function getPlayerBalance(playerEmail) {
  const r = await fetch(
    `${BASE}/api/player-balances/player/by-email/${encodeURIComponent(playerEmail)}`,
    { headers: { 'X-Game-Secret-Key': SDK_KEY } }
  );
  return r.json();
}

// Player buys an in-game item with their currency balance
async function purchaseItem(payload) {
  const r = await fetch(`${BASE}/api/item-purchases/purchase-item`, {
    method: 'POST',
    headers: {
      'X-Game-Secret-Key': SDK_KEY,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify(payload)
  });
  return r.json();
}

// Player sends currency to another player by phone
async function initiateSend(payload) {
  const r = await fetch(`${BASE}/api/currency-sends/initiate-send`, {
    method: 'POST',
    headers: {
      'X-Game-Secret-Key': SDK_KEY,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify(payload)
  });
  return r.json();
}

Authentication Errors

401 — missing or invalid SDK key

{
  "error": "missing X-Game-Secret-Key header",
  "error_code": "INVALID_GAME_SECRET"
}

Verify the header name is exactly X-Game-Secret-Key and the value is your full ivsdk_<random> string.

403 — game inactive

Your game's status isn't live or testing. Check the developer console.

429 — rate-limited

You've exceeded the per-IP or per-key request budget for that endpoint. Body includes a retry_after seconds value; back off accordingly.

Rotating Your SDK Key

Rotate a key from the developer console at any time. The new key is shown once after rotation — copy and update your environment variables before the old key is invalidated.