# Proper App ID Initialization

**ID:** DEV-004
**Priority:** High
**Status:** Planned

## User Story
As a developer, I want to properly register my application with a unique App ID so that the identity provider can identify and configure my app correctly.

## Acceptance Criteria
- [ ] Developer can register new applications
- [ ] Each app gets unique App ID and App Secret
- [ ] Configure allowed redirect URIs per app
- [ ] Configure allowed origins (CORS) per app
- [ ] App-specific settings (token expiry, etc.)
- [ ] View app analytics (logins per app)
- [ ] Regenerate app secret if compromised
- [ ] Delete/deactivate applications

## Technical Notes
- SDK clients should receive app identity from the registered application model instead of hard-coded placeholders
- App ID is now part of the unified Apps model (`IApp` discriminated union)
- Three app types exist: Global Apps, Partner Apps, Custom OIDC Apps
- For custom applications, use the Custom OIDC Apps flow (ORG-011)
- App credentials stored as `IOAuthCredentials` with hashed client secret
- Validate redirect URIs to prevent open redirector attacks
- App ID/Client ID is included in JWT claims

## Apps Architecture

The Apps system supports three types:
1. **Global Apps** (ORG-009) - First-party platform apps (foss.global, task.vc)
2. **Partner Apps** (ORG-010, DEV-008) - AppStore model for third-party apps
3. **Custom OIDC Apps** (ORG-011) - Organization-created OAuth/OIDC clients

## Related Stories
- ORG-009: Connect Global Apps
- ORG-010: Browse and Install Partner Apps
- ORG-011: Create Custom OIDC Apps
- DEV-005: Register OAuth Client App
- DEV-008: Submit App to AppStore

## Related TODOs
- Keep app identity initialization aligned with the shared `@idp.global/sdk` client configuration.