HPGAuthKit

Purpose

Handles authentication flows for the Hot Potato Games platform — sign up, sign in, token management, session persistence. Meant to be imported by any HPG app to get consistent auth behavior without reimplementing login screens and token refresh logic.

Stack

What I Learned

• Auth is the one package in the HPG SDK that genuinely justifies extraction. Authentication logic (token storage in Keychain, refresh token rotation, session expiry, biometric unlock) is security-critical code that should be written once, audited carefully, and never duplicated. A bug in auth code is not a UI glitch — it is a security vulnerability. Sharing auth through a package means fixing a vulnerability once fixes it everywhere.
• iOS Keychain is the correct storage for auth tokens — not UserDefaults (unencrypted), not files (accessible to other apps in some configurations). Keychain data is encrypted, persists across app reinstalls (configurable), and supports biometric access (Face ID/Touch ID to unlock tokens). AuthKit wrapping Keychain interactions shields app developers from the notoriously awkward Keychain API.
• Six HPG packages. One HPG app. The running joke has run long enough — but AuthKit is the one that earns its existence. If there were only one HPG package, it should be this one.

Key Insights

• The HPG SDK family, fully enumerated: CryptoKit (CocoaPod), ModelsKit (CocoaPod), RepositoriesKit (CocoaPod), ModerationKit (in development), DesignKit (SPM), AuthKit (Swift). Six packages representing infrastructure for a platform that is still in its early stages. The irony is real. The investment is not wasted — it is early. When HPG scales to multiple shipped games, every package will earn its keep. The question is whether that day comes before the packages need to be rewritten.