Anatomy of a FrontendBuilding an end-to-end encrypted application is challenging in many ways, there's no doubt. However, having a high-level understanding of the components of your application is a major help in getting started and avoiding common pitfalls that can cost you some precious time. To get you a head start, let's go through the main responsibilities your backend should and should not have.Before proceeding, make sure you've read the previous articles in this section to get a better understanding of the building blocks of end-to-end encryption.Here's what your backend should do:1. Authenticate users.Your backend has the responsibility of distinguishing between users accessing your application before providing them with an appropriate Virgil JWT token. Since the method of authentication is up to you, make sure it's a secure one.2. Generate Virgil JWT for users.Virgil JWTs are a user's ticket to and proof of identity for Virgil Cloud. Your Virgil Application Private App Key and App ID are needed for this procedure. Since they should never leave the backend, this operation can only be performed server-side.3. Receive and store sensitive user data encrypted, if it requires storage.Files, conversations, and any sensitive or protected health information should never leave the client device unencrypted. This means it must be encrypted with an asymmetric public key before being sent to and stored in your servers.And what your backend should not do:1. Store user asymmetric encryption keys (public or private).User private keys must be stored in user device only, and never be exposed to the backend. This way, if your backend is compromised, the encrypted data will be accessible to no one. Public keys should be stored only in Virgil Cloud for consultation and client-side if cache or offline use is required.2. Encrypt or decrypt sensitive user data or conversations.In end-to-end encrypted applications, sensitive data should only be produced and accessed by client devices. Thus, encryption and decryption operations on sensitive user data should be done client-side.3. Register users in Virgil Cloud.To register a user in Virgil Cloud, an asymmetric key pair needs to be generated. The public part of this pair is stored in the Virgil Cloud, and the secret part must never be seen outside the client device. Thus, this operation should only be performed by client devices, as to not compromise the private key part.If you are still not sure if something should be done - or how it should be done - on your backend or frontend, ask us in our community forum. We're happy to help you build your secure product!