Authentication

This document explains the available authentication methods and their use cases.

Authentication types

The Sinch Verification API supports two Server-to-Server authentication methods: Application Signed Requests and Basic Authentication. It should be used with our Node, .NET, Java and Python SDKs.

Public Authentication is an additional method for SDK-based Device-to-Server scenarios. It requires more setup, and allows you to make requests from untrusted environment (i.e. end user device). It should be used with iOS and Android SDKs, or in any case where you cannot secure application credentials.

Use cases

Server-to-Server

In this scenario, verifications are initiated from your backend, allowing for stronger authentication since secrets are securely managed.

Use Application Signed Requests in production. For prototyping, use Basic Authentication.

Device-to-Server

In this scenario, verifications are initiated from an untrusted mobile device, so secrets must not be stored on the device. Use the Sinch SDK for your platform, which applies Public Authentication to protect secrets. Verification callbacks are required to validate requests and prevent fraud. See the callback documentation for details.

We'd love to hear from you!
Rate this content:
Still have a question?
 
Ask the community.
SecurityPrivacyLegal & ComplianceCookie Statement
© 2025 Sinch. All rights reserved.