Skip to main content

Permissions

Permissions in the k-ID Regulatory Hub represent classifications of game features that are addressed in regulations in one or more jurisdictions worldwide. Permissions are configured in the Compliance Studio for the game. Each k-ID Permission that matches a game feature should be enabled in the Compliance Studio.

What are permissions?

Permissions represent features or capabilities in your game that might require parental consent or have age restrictions. Each permission can be enabled or disabled for a player based on:

  • Their age and jurisdiction
  • Parental consent (if required)
  • The permission's configuration in Compliance Studio

Permission structure

Each permission in a session has the following structure:

{
  "enabled": true,
  "managedBy": "PLAYER",
  "name": "text-chat-private"
}

Permission fields

  • name: The identifier of the permission (for example, text-chat-private, in-game-purchases)
  • enabled: Whether the permission is currently enabled for the player
  • managedBy: Who can enable or disable this permission:
    • PLAYER: The player can enable/disable this permission themselves without parental consent
    • GUARDIAN: Only a trusted adult can enable/disable this permission
    • PROHIBITED: This permission is never allowed for the current player in the current location
managedBy can change over time

The managedBy field isn't static. When a player ages up and no longer requires parental consent, permissions that were previously managedBy: "GUARDIAN" might change to managedBy: "PLAYER". When a player requests to enable a PLAYER-managed permission via the /session/upgrade API, it's automatically enabled without creating a challenge. Your application should handle these changes by comparing sessions over time.

Who can enable a permission?

The game code should use each k-ID Permission to control access to the corresponding features in the game. If the enabled field is true for a permission, this means that the feature can be enabled for the player in the game. If the enabled field is false, the feature must be turned off.

Some jurisdictions require that games turn off certain features by default if the player is a certain age even if it's acceptable for the player to access the feature (this is sometimes referred to as a "privacy by default" requirement). In this case enabled is false and the managedBy field contains PLAYER.

If a feature can only be turned on or off by a trusted adult, then the value of the managedBy field is GUARDIAN. If a feature is never allowed for the current player in the current location regardless of their trusted adult's consent, the managedBy field contains the value PROHIBITED. In this last case, it's appropriate for the game to just remove the prohibited feature entirely from the user experience rather than show it turned off.

When a player ages up and no longer requires parental consent, permissions that were previously managedBy: "GUARDIAN" might change to managedBy: "PLAYER", allowing the player to control them directly. When a player requests to enable a PLAYER-managed permission via the /session/upgrade API, it's automatically enabled without creating a challenge. Your game should provide UI controls that allow players to manage these permissions themselves.

Matching permissions to game features

Permissions in the k-ID Regulatory Hub represent classifications of game features that are addressed in regulations in one or more jurisdictions worldwide. Permissions are configured in the Compliance Studio for the game. Each k-ID Permission that matches a game feature should be enabled in the Compliance Studio. The k-ID Permissions chosen are presented to parents when they give consent for a child to play a game.

info

When displaying features in the game that are mapped to k-ID Permissions, the Session should be checked to see whether the feature is enabled, and whether the player is allowed to turn it on.

Available permissions

The following permissions are available in the Compliance Studio:

Social permissions

  • Online Multiplayer (multiplayer)
  • Leaderboard and rankings (leaderboards-and-rankings)
  • Join Groups (join-groups)
  • Public Profile (public-profile)
  • Custom Avatar (custom-avatar)
  • Custom Username (custom-username)
  • Text Chat (Private) (text-chat-private)
  • Text Chat (Public) (text-chat-public)
  • Voice Chat (voice-chat)
  • Video Chat (video-chat)
  • Online Status (online-status)
  • Public Friend List (public-friend-list)
  • Send Accept Friend Requests (send-accept-friend-requests)
  • Link to Third Party Chat (link-to-third-party-chat)
  • Virtual Events (virtual-events)
  • Share to Social Media (share-to-social-media)

Marketing permissions

  • Personalized Recommendations (personalized-recommendations)
  • Targeted Ads (targeted-ads)
  • Profiling (profiling)
  • Push Notifications (push-notifications)
  • Direct Marketing (direct-marketing)
  • Forums (forums)

Commerce permissions

  • In-Game Purchases (in-game-purchases)
  • Loot Boxes Paid Cosmetic Only (loot-boxes-paid-cosmetic-only)
  • Loot boxes paid gameplay impacting (loot-boxes-paid-gameplay-impacting)
  • Loot boxes kompu gacha (loot-boxes-kompu-gacha)
  • Send Gifts (send-gifts)
  • Simulated Gambling (simulated-gambling)
  • Virtual Property Ownership (virtual-property-ownership)

Create content or share data permissions

  • Camera Access (camera-access)
  • Share Game Clips Screenshots (share-game-clips-screenshots)
  • Photo Video Sharing (photo-video-sharing)
  • Precise Location Sharing (real-time-location-sharing)
  • User-generated content (mods)
  • Gameplay streaming (gameplay-streaming)
  • Gameplay recording (gameplay-recording)
  • Link to Third-Party Streaming App (link-to-third-party-streaming-app)

Advanced permissions

  • AI Generated Avatars (ai-generated-avatars)
  • Augmented Reality (augmented-reality)
  • Mature Language (mature-language)
  • Motion Data (motion-data)
  • AI chatbot (ai-chatbot)

Requesting additional permissions

After a player has received a session with permissions, they might want to allow additional permissions. Permissions can be disallowed for reasons such as:

  1. They're below the age threshold for the permission to be enabled by default.
  2. They're below the absolute minimum required age for the permission.
  3. The permission can only be enabled with a parent/guardian's consent, and it wasn't enabled during the consent process.

Using the session upgrade API

The /session/upgrade API can be used to enable additional permissions. Any requested permissions which have the managedBy field set to PLAYER are enabled immediately. If there are permissions which have managedBy set to GUARDIAN, then a challenge is created for the trusted adult to complete to consent to the permission change.

Example request

POST /api/v1/session/upgrade
Content-Type: application/json
Authorization: Bearer your-api-key

{
  "sessionId": "608616da-4fd2-4742-82bf-ec1d4ffd8187",
  "requestedPermissions": [
    {
      "name": "voice-chat"
    }
  ]
}

Example response with challenge

If a permission requires guardian consent, the response includes a challenge:

{
  "status": "CHALLENGE",
  "challenge": {
    "challengeId": "683409f1-2930-4132-89ad-827462eed9af",
    "oneTimePassword": "ABC123",
    "type": "CHALLENGE_PARENTAL_CONSENT",
    "url": "https://family.k-id.com/authorize?otp=ABC123"
  }
}

Example response without challenge

If all requested permissions can be enabled by the player, the response includes the updated session:

{
  "status": "PASS",
  "session": {
    "sessionId": "608616da-4fd2-4742-82bf-ec1d4ffd8187",
    "permissions": [
      {
        "enabled": true,
        "managedBy": "PLAYER",
        "name": "voice-chat"
      }
    ]
  }
}

When trusted adult consent is needed to enable a permission, a challenge is included in the response. This challenge can be shared similarly to the initial age gate process, by using a QR code, OTP, or email. For more information, see Challenges.

Email notification for permission upgrades

One quality-of-life difference is that it's possible to use the /challenge/send-email API without specifying an email address, and the API sends an email to the trusted adult who most recently approved a permission for the player. This enables players to request permission changes without specifying an email address themselves. You can check the hasApproverEmail flag in the Session to determine if the session already has an associated email address before calling the API. If no associated email address is found, the /challenge/send-email API responds with an INVALID_EMAIL error code, and you must fall back to another method, such as providing a QR code, OTP, or asking the player to enter their trusted adult's email address.

Handling the upgrade flow

  1. Check permissions: Before requesting an upgrade, check the current session to see which permissions are available and which require guardian consent
  2. Request upgrade: Call /session/upgrade with the requested permissions
  3. Handle challenge: If a challenge is returned, follow the same workflow as the initial VPC flow
  4. Update session: Once consent is granted, retrieve the updated session using /session/get