pivy | using PIV tokens ( like Yubikeys

I recommend that new users run the pivy-tool setup command -- it will initialise the PIV applet and then generate a standard set of basic keys which will suit most users. The setup command will prompt you to set a PIN and PUK, as well as generating keys. The PIV PIN and PUK are both secret strings of 6-8 ASCII characters which are used to protect access to your device. In the PIV spec, these strings are required to be numeric (consisting only of digits 0 through 9), but many PIV devices such as YubiKeys will allow a much wider variety of characters. The PIN is what you will normally use to authenticate to your device and unlock the use of private keys. By default, 5 invalid attempts to validate the PIN are allowed before it becomes locked. The PUK is intended as a fall-back if the PIN is forgotten, and can be used to reset it when locked. If you supply the PUK incorrectly 3 times (by default), then the card/device becomes locked down and will generally destroy its private keys. It's fine for personal use to set the PIN and PUK to the same value. The PUK is best used in an organisational context where devices are being provisioned for users centrally -- it can be securely stored rather than given to the user and used to help unlock devices when PINs have been forgotten. In a PIV device/card, your keys are stored in a fixed set of "slots", which are known by their numbered slot IDs. The different key "slots" (9a, 9c, 9d and 9e) have different assigned purposes in the PIV spec, but YubiKeys and a lot of compatible devices are not very strict in enforcing these.
9E: Card Authentication Key (often styled as "CAK"). This key is intended to authenticate only the device/card, not the person who owns it. It defaults to not requiring any authentication to use (no PIN, no touch confirmation on YubiKeys). In pivy-agent, for example, this slot is used to check that the device it's talking to is actually the device it's supposed to be (and not an attacker replacement with the same ID) before giving it the user's PIN.
9A: PIV Authentication Key. This is the main key used to authenticate the owner of the card/device. It's protected by the PIN by default. You should use this key as your primary option for signature authentication (e.g. this is the key you should add to .ssh/authorized_keys or GitHub).
9C: Signature Key. This key is intended for use signing documents or certificates. Since this purpose is not as common as authentication amongst users of pivy, it also serves duty as a backup authentication key. If you need to SSH or auth to a system that does not support EC keys, this key is an RSA key so that you can use it as a fallback for the 9A key. It requires a PIN by default, like 9A.
9D: Key Management Key. This key is intended for use only to derive symmetric keys to encrypt/decrypt data. It's a matter of some controversy in the cryptography community whether it's entirely safe to use the same EC key both for signing and key derivation (ECDH), so I would recommend you avoid signing arbitrary data with your 9D key (don't use it for regular authentication). See the next section for more information about using this key to encrypt data at rest. Requires both PIN and touch confirmation (on YubiKeys).