triggair
Guides

Getting started

Keys, anonymous identity, and the one-import integration loop.

Triggair is a game backend for browser games. You integrate it with one import and one publishable key; player-scoped calls authenticate themselves, and every error tells an agent how to fix it.

Keys

Every game has two key kinds. The publishable key (tg_pk_…) is safe in client code — it identifies the game and is origin-checked (CORS). The secret key (tg_sk_…) is server-only and must never ship in a client. Issue and rotate keys in the dashboard (Setup → Keys) or via the API. Only the SHA-256 hash is stored; the full key is shown once.

import { createClient } from '@triggair/sdk';
const tg = createClient({ key: 'tg_pk_your_key' });

Anonymous-first identity

There are no accounts or login screens by default. On first use the SDK mints an anonymous player token from a stable device id and silently refreshes it; every player-scoped call attaches it. For cross-device rescue, mint a recovery code the player saves once and redeem it on the new device.

const { playerId } = await tg.login();
const { code } = await tg.mintRecoveryCode(); // show once
await tg.recover(code);                         // same player, new device

CORS — the 'works locally, 403s deployed' trap

Browser calls are origin-checked. If a call only fails once deployed, add your deployed origin to the game's allowed_origins (Setup → Keys/CORS). An empty allowlist is open to any origin — set it before you ship.

Close the loop

After wiring the SDK, run the self-test — the MCP tool triggair_verify_integration or the dashboard's verify runner. It live-probes player → save → leaderboard → CORS and reports pass/fail per service with fixes.

← All guides · API reference