> ## Documentation Index
> Fetch the complete documentation index at: https://docs.privacyboost.io/llms.txt
> Use this file to discover all available pages before exploring further.

# App Setup

> Register your app with Privacy Boost and choose an authentication method

# App Setup

Before writing any SDK code, you need two things: an **App ID** and an **authentication method**. These are configured once when you register your app with Privacy Boost.

## Getting an App ID

The App ID is a unique identifier for your application (e.g., `app_abc123xyz`). You pass it to the SDK at initialization, and the backend uses it to identify your app, apply rate limits, and enforce access controls.

To get one, contact the Privacy Boost team with your application name and use case.

## Choosing an Authentication Method

When your app is created, you choose how users authenticate. This controls what credentials are required when the SDK logs in a user.

### Which method should I use?

| Your situation                                                     | Auth method              | Backend required? | Guide                                 |
| ------------------------------------------------------------------ | ------------------------ | ----------------- | ------------------------------------- |
| Development, testing, or prototyping                               | **Direct**               | No                | Built-in — just call `authenticate()` |
| Your backend manages users, no third-party auth                    | **API Secret**           | Yes               | [Setup guide](/sdk/guides/api-secret) |
| You use [Privy](https://www.privy.io) for login                    | **Privy**                | No                | [Setup guide](/sdk/guides/privy)      |
| You use [Dynamic](https://www.dynamic.xyz) for login               | **Dynamic** (Custom JWT) | No                | [Setup guide](/sdk/guides/dynamic)    |
| You use Auth0, Firebase, Supabase, Clerk, or another OIDC provider | **Custom JWT**           | No                | [Setup guide](/sdk/guides/custom-jwt) |

<Warning>
  Direct authentication does not verify who is calling your app. Use one of the other methods in production if you need to control access.
</Warning>

API Secret requires a [token provider](/sdk/concepts/authentication#token-providers) — a function in your SDK code that routes authentication through your backend, keeping the secret out of client-side code. Privy, Dynamic, and Custom JWT do not require a backend — you configure your JWKS URL with Privacy Boost, and the server validates tokens directly.

## How Authentication Works Under the Hood

Every `authenticate()` call goes through two steps:

1. **App verification** — The backend checks your app's credentials (App ID only, API secret, or JWT depending on your method). This confirms the request comes from a legitimate app.
2. **Key verification** — The SDK proves the user owns their privacy keys by signing a cryptographic challenge. This happens automatically inside `authenticate()`.

For direct auth, both steps are handled entirely by the SDK. For all other methods, step 1 routes through your backend via a [token provider](/sdk/concepts/authentication#token-providers).

## Next Steps

<CardGroup cols={2}>
  <Card title="Configuration" href="/sdk/concepts/configuration">
    Initialize the SDK with your App ID and endpoints
  </Card>

  <Card title="Authentication" href="/sdk/concepts/authentication">
    The authenticate() flow, wallet popups, and session management
  </Card>
</CardGroup>
