For developers looking to optimize their Privy integration, we have a few key features that should help fine-tune the performance your setup.

Manually set a verification key for authorization

When verifying a Privy access token to authorize requests to your servers, by default the Privy Client’s verifyAuthToken method will make a request to Privy’s API to fetch the verification key for your app. Although it is cached for reuse, you can avoid this API request entirely by copying your verification key from the Configuration > App settings > Basics tab of the Dashboard, under “Verify with key instead”, and passing it as a second parameter to verifyAuthToken:

const verifiedClaims = await privy.verifyAuthToken(
  authToken,
  'paste-your-verification-key-from-the-dashboard'
);

If you ever rotate your verification key, you will have to update this, but this will remove any network dependency on Privy for token verification.

Get user data with identity tokens

If you need access to the user object, especially on the server, this can be a costly action. To remove a network call from your critical path, we recommend using Privy’s identity tokens, which include the latest user information in token form. While it does not have the full user details (it omits certain lesser-needed fields for efficiency), it should have what you need to get started quickly.

Set a custom API URL for HttpOnly cookies (react-auth only)

In the case where you have set up and enabled HttpOnly cookies, on initial page load, the Privy SDK will start by making a call to fetch app details on our default https://auth.privy.io API URL. In HttpOnly cookie mode however, all your requests are routed through https://privy.<customdomain.com>. To avoid an occasional extra call on page load, we recommend explicitly setting the apiUrl in your PrivyProvider:

return (
  <PrivyProvider
    appId={'your-app-ID'}
    // @ts-expect-error currently a beta feature
    apiUrl="https://privy.customdomain.com"
  >
    {children}
  </PrivyProvider>
);

Note that this has a risk - if you are ever disabling HttpOnly cookies, you will need to remove this in order for your app to continue functioning properly. For a smooth transition, first remove the apiUrl, deploy, and then disable HttpOnly cookies.