Skip to main content

​
Understanding App Modes

On Civic Auth, apps can be in either Sandbox or Production mode. When you create a new app, it starts in Sandbox mode to allow you to develop and test your integration. This is a setting on the Civic Auth Dashboard — it is separate from your own infrastructure environments (such as a development server, staging environment, or production server).

​
Sandbox Mode

In sandbox mode:
  • Uses Civic’s SSO credentials: Your app uses Civic’s shared OAuth credentials for providers like Google, so you can integrate and test without setting up your own OAuth app.
  • No billing required: Payment information is not required during development.
  • Domain restrictions not enforced: Your app accepts requests from any domain, including localhost. You can leave the Domains field empty in your Civic Dashboard and your app will work with any domain while testing.
  • Same clientId: Your app’s clientId is the same in sandbox mode as it will be in production. Your clientId does not change when you launch to production.

​
Production Mode

Production mode is required before your app can be used by real users. To launch to production, you must:
  1. Provide your own SSO credentials (clientId and clientSecret) for each provider.
  2. Register at least one domain.
  3. Add payment information.
To launch your app, click the ‘Sandbox’ header in the Civic Auth Dashboard and select ’+ Launch to production’.
This action is permanent. Once an app is launched to production, it cannot be returned to Sandbox mode. There is no way to deactivate a Civic Auth app — if you need to stop users from authenticating, remove the Civic Auth integration from your application code.
About Client IDs: Your app’s clientId remains the same whether your app is in Sandbox or Production mode (unless you choose to duplicate your app during launch). The app mode is a setting of your app, not a separate infrastructure environment. There is only one Civic Auth infrastructure that serves both Sandbox and Production apps.
Once you’ve configured your App using the Civic Auth Dashboard, here are the steps you need to take to promote your app to production.

​
Configure SSO credentials

In Sandbox mode, your app uses Civic’s credentials for SSO providers such as Google. However, for a live app you need to provide your own credentials (clientId and clientSecret) from your OAuth app configuration. For each provider, you must also add the correct callback URL to your provider’s list of allowed redirect URIs. You can find the exact callback URL for each provider directly in your Civic dashboard:
  1. Go to your Civic dashboard and navigate to the SSO Setup screen.
  2. Select the tab for your SSO provider (e.g. Google, Apple, Microsoft, Discord, X).
  3. The required callback URL is displayed on that tab — copy it and add it to your OAuth app’s allowed redirect URIs.
For reference, the table below lists the known callback URLs for common providers:
ProviderAuthorized domainCallback URL
Googlehttps://auth.civic.comhttps://auth.civic.com/login/api/callback/google
Applehttps://auth.civic.comhttps://auth.civic.com/login/api/callback/apple
Microsofthttps://auth.civic.comhttps://auth.civic.com/login/api/callback/azure-ad
X (Twitter)https://auth.civic.comhttps://auth.civic.com/login/api/callback/twitter
Always check the SSO Setup screen in your Civic dashboard for the most up-to-date callback URL for your provider. If your provider is not listed above, contact us in our developer community for assistance.

​
Set a domain

To ensure that your app is only usable by your website, you need to add the Domain that your website will be hosted on. You need to define at least one Domain, and a secure https site is recommended.
Testing in sandbox mode: While your app is in sandbox mode, you can remove all domains from your app’s Domains settings in the Civic Dashboard, and your app will accept requests from any domain. This makes local and staging testing easier without needing to register each environment. Once you launch to production, at least one domain must be registered.
Note that you can add localhost domains while testing but it’s recommended that you remove localhost values when you bring your App to production as anyone running a localhost app could then potentially use your clientId.

​
Add payment information

You need to add payment information using our Billing page. Click here for more details on Auth Pricing.

​
Converting or duplicating your app

Once you have fulfilled all the steps, you can click on the ‘Sandbox’ header and select the option ’+ Launch to production’. You now have two options of bringing your existing App to production: Convert and Duplicate

​
Convert

Choose this option to promote your existing app to Production mode. Your app keeps the same clientId and all settings - only the app mode changes from Sandbox to Production.
Use this option if you’ve been testing with the same clientId that you want to use in your live application.

​
Duplicate

This option creates a new app (with a new clientId) in Production mode, copying all settings from your Sandbox app. Your original Sandbox app remains unchanged.
Use this option if you want to keep a separate Sandbox app for continued testing while having a distinct Production app with its own clientId.

​
Enabling Crypto Wallets (Web3 Apps only)

If you want your users to have access to embedded wallets, make sure to enable the ‘Enable embedded wallets’ setting in the Crypto Wallets dashboard page.