# Security Considerations

Constraint	Rationale
Keep `PRIVY_APP_SECRET` server-side only	The app secret is used to authenticate your backend with Privy's verification infrastructure. Exposing it on the client would allow anyone to forge verification requests.
Always send the identity token as `Authorization: Bearer <identityToken>`	This ensures the token travels in a standard header that your backend can extract and verify in a single step, and avoids leaking credentials in URL parameters or request bodies.
Do not trust client-side wallet addresses directly	A wallet address rendered in the browser is not proof of ownership. Only the identity token, verified server-side through `verifyPrivyWallet`, confirms that the session is authentic and the wallet is linked.
Validate on every protected request	Identity tokens are session-scoped. Your backend should call `verifyPrivyWallet` on each request to a protected endpoint rather than caching the result, ensuring revoked or expired sessions are rejected immediately.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://city-protocol.gitbook.io/docs/neofinance-as-a-service/wallet/security-considerations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.