Sendity Client
Browser UI, server-owned verification.
The Sendity Web Client is the browser-side authentication surface. It renders the challenge code, channel actions, progress states and browser events while app configuration, channel routing and verification rules stay on the server.
Think of it as the visible edge of the flow: friendly enough to drop into a login screen, but deliberately thin from a security perspective. It can tell your frontend that a verification happened; it cannot decide that a user is authenticated. That decision stays with your backend or framework adapter.
Mount it where authentication happens.
Use the raw <sendity-auth> element or a framework adapter component in your login, signup or step-up flow. The Client owns the visible challenge and channel UI, but it does not create your application session by itself.
Let the server decide the verification action.
The Client sends the public app id, current origin and localized message templates to the Sendity API. The API returns one verification_action containing the channel, primary recipient, optional RCS recipient and complete action URL. The Client displays only the primary recipient and uses the server-built URL unchanged for the button and QR code; an RCS service ID remains encoded in the sms: link.
Verify before opening a session.
Browser events are UI signals. Your backend must verify the signed result, reject replay or expiry, map the verified subject to a local user and only then create the session. Framework adapters automate that path, but the trust boundary stays the same.
Runtime contract
The public contract is intentionally small: a public app id, optional rendering attributes, the shared corner-radius property and CustomEvent notifications. Application credentials stay in your backend. A short-lived AuthRequest secret is returned by the API and kept in browser session storage only; an application client secret is never rendered into the page.
<script type="module" src="https://sendity.io/vendor/sendity/client/sendity-client.js"></script>
<sendity-auth
public-key="app_01HX..."
lang="en"
></sendity-auth>