REST Authentication
The Verification API uses the standard HTTP Authorization header to pass authentication information to the Sinch servers. You can use basic authentication or signed requests. Additionally, you can set up signed requests for callbacks the Sinch servers make to your server, to validate and verify they are trusted.
Authentication method to use depends on your workflow.
Server to Server
In this scenario, Verifications are initiated from your backend, where your secrets are protected. Hence, a stronger authentication method can be used.
The available authentication methods for this scenario include:
- application signed requests (recommended)
- basic authentication (for prototyping)
Basic Authentication
Basic authentication is the fastest and simplest method of authenticating API requests. All you need is the application key and secret from the dashboard.
To use basic authentication, set the application key as the username and the secret as the password, like in the following example:
//application call
usernameAndPassword = ApplicationKey + ":" + ApplicationSecretThe username and password must be base64 encoded before being added to the header, like in the following example:
Authorization = "Basic " + Base64 ( usernameAndPassword )Note:
Basic authentication is quick and easy to use and should only be used for testing or prototyping. In a production environment, we recommend using signed requests.
Device to Server
In this scenario, Verifications are initiated from a mobile device, which is untrusted. Secrets must not be stored on end-user device. It is recommended to utilize the Sinch SDK tailored for your platform. If opting for a custom solution, use public authentication to prevent secret leakage. Verification callbacks are mandatory in this scenario to allow Sinch to verify the legitimacy of requests and prevent fraud attempts. Refer to the relevant page to learn more about callbacks.
Available authentication methods for this scenario include:
