Sinch Functions can require authentication on any handler. When enabled, callers must provide your project's API key and secret via Basic Auth. This lets you expose HTTP endpoints that only your systems can reach.
- You mark which handlers require auth (or all of them)
- The runtime checks incoming requests for an
Authorization: Basicheader - Credentials are validated against
PROJECT_ID_API_KEYandPROJECT_ID_API_SECRET - Invalid or missing credentials get a
401 Unauthorizedresponse
Voice callbacks (ICE, ACE, DiCE, PIE) and health checks are never auth-gated — they come from the Sinch platform and use webhook signature validation instead.
Export an auth array with the handler names you want to protect:
import type { FunctionContext, FunctionRequest } from '@sinch/functions-runtime';
// Protect the 'webhook' handler — callers must authenticate
export const auth = ['webhook'];
export async function webhook(context: FunctionContext, request: FunctionRequest) {
// Only reachable with valid credentials
return { received: request.body };
}
export async function status(context: FunctionContext, request: FunctionRequest) {
// No auth required — not listed in the auth array
return { ok: true };
}To protect all handlers:
export const auth = '*';Auth uses your Sinch project's API key and secret — the same credentials you use with sinch auth login. When deployed, these are injected automatically as environment variables:
PROJECT_ID_API_KEY— your project's API keyPROJECT_ID_API_SECRET— your project's API secret
You don't need to configure anything. The runtime reads these from the environment at startup.
During local development (sinch functions dev), auth is skipped when credentials aren't configured. This means you can test your handlers without setting up auth locally.
If you run
sinch functions devwith a public tunnel, your local server is reachable from the internet for the duration of the dev session. With auth skipped, any endpoint you marked as protected is effectively open to the world during that window. To test auth end-to-end through the tunnel, set the credentials (see below) before starting the dev server.
To test auth locally, set the environment variables before starting dev mode:
PROJECT_ID_API_KEY=mykey PROJECT_ID_API_SECRET=mysecret sinch functions devOnce auth is enabled (locally with env vars or after deployment):
# Authenticated request
curl -u YOUR_API_KEY:YOUR_API_SECRET https://your-function-url/webhook
# This is equivalent to:
curl -H "Authorization: Basic $(echo -n 'YOUR_API_KEY:YOUR_API_SECRET' | base64)" \
https://your-function-url/webhook
# Without credentials — returns 401
curl https://your-function-url/webhookThese endpoints bypass auth regardless of your configuration:
| Endpoint | Reason |
|---|---|
| Voice callbacks (ICE, ACE, DiCE, PIE) | Validated by webhook signature, not Basic Auth |
Health checks (/health) | Used by infrastructure for liveness probes |