Self-Host / Server
Rebuild the apps model for self-hosting.
In Sendity Cloud, an app is the configuration boundary between a website and the verification backend. Self-hosted installations need the same concept, even if you expose it through your own admin UI or seed it from configuration.
Required fields
- public_app_id
- Safe to expose in markup. Used by the Client when creating challenges.
- client_secret
- Server-side credential for adapters and trusted backend calls. Show it once when created; store only a hashed form where possible.
- allowed_origins
- Origins allowed to create browser challenges for this app.
- verification_channel
- The app’s single channel: email or phone. Channel recipients remain server configuration.
For each AuthRequest, the server derives verification_action. Email actions contain the configured inbox and a complete mailto: URL. Phone actions contain the configured SMS number, an optional Twilio RCS recipient, and a complete action URL. The browser Client must not reconstruct any of these values.
Secret handling
Client secrets are operational credentials. Generate them with enough entropy, show them once, allow rotation and never render them back to users as copyable masked values. The browser Client only needs the public app id.