{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-docs/functions/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["partial"]},"type":"markdown"},"seo":{"title":"Developer Documentation","siteUrl":"https://developers.sinch.com","llmstxt":{"title":"Sinch Developer Documentation","description":"LLMs.txt containing a map of all the documentation files for Sinch.","sections":[{"title":"SMS API","description":"The SMS API allows you to send and receive SMS messages with a few easy steps. You can also send bulk SMS messages to multiple customers using the Sinch SMS service.","includeFiles":["docs/sms/**/*.md","docs/sms/**/*.yaml"],"excludeFiles":["docs/sms/index.md"]},{"title":"Numbers API","description":"The Numbers API enables you to search for, view, and activate numbers. It's considered a precursor to other APIs in the Sinch product family. The numbers API can be used in tandem with any of our APIs that perform messaging or calling.","includeFiles":["docs/numbers/**/*.md","docs/numbers/**/*.yaml"],"excludeFiles":["docs/numbers/index.md"]},{"title":"Conversation API","description":"Send and receive messages globally on many popular channels with ease and confidence when using Sinch's Conversation API. Conversation API is the preferred API for sending mobile messages on SMS and other social channels with Sinch. It is a simple API with unified error messages, consistent request payloads, and common webhook payloads that are channel-agnostic.","includeFiles":["docs/conversation/**/*.md","docs/conversation/**/*.yaml"],"excludeFiles":["docs/conversation/index.md"]},{"title":"Voice API","description":"The Voice API works as a big telephony switch. The Voice API handles incoming phone calls (also known as incoming call “legs”), sets up outgoing phone calls (or outgoing call “legs”), and bridges the two. The incoming call leg may come in over a data connection (from a smartphone or web application using the Sinch SDKs) or through a local phone number (from the PSTN network). Similarly, the outgoing call leg can be over data (to another smartphone or web application using the Sinch SDKs) or the PSTN network.","includeFiles":["docs/voice/**/*.md","docs/voice/**/*.yaml"],"excludeFiles":["docs/voice/index.md"]},{"title":"Verification API","description":"The Verification API is a platform for phone number verification. It consists of the API and different software development kits (the Sinch SDKs) that you integrate with your smartphone or web application and cloud based back-end services. Together they enable SMS, Flashcall, Phone Call and Data verification in your application.","includeFiles":["docs/verification/**/*.md","docs/verification/**/*.yaml"],"excludeFiles":["docs/verification/index.md"]},{"title":"Provisioning API","description":"Provisioning API allows you to programmatically set up your senders, accounts and templates on your favorite messaging platforms on the Conversation API. For now, you can create your first WhatsApp channel through Meta's Embedded sign up, you can configure your first SMS App and configure your webhooks. As development continues, we will be adding the most commonly used channels.","includeFiles":["docs/provisioning-api/**/*.md","docs/provisioning-api/**/*.json"],"excludeFiles":["docs/provisioning-api/index.md"]},{"title":"Elastic SIP Trunking API","description":"With Elastic SIP Trunking you can create and manage your SIP trunks and phone numbers programmatically.","includeFiles":["docs/est/**/*.md","docs/est/**/*.yaml"],"excludeFiles":["docs/est/index.md"]},{"title":"Fax API","description":"Send and receive HIPAA compliant faxes on our modern fax platform using our developer-friendly API.","includeFiles":["docs/fax/**/*.md","docs/fax/**/*.yaml"],"excludeFiles":["docs/fax/index.md"]},{"title":"In-app Voice and Video SDK","description":"The In-app Voice and Video SDK enables you to add voice and video calling capabilities directly into your mobile or web application using the Sinch SDKs.","includeFiles":["docs/in-app-calling/**/*.md"],"excludeFiles":["docs/in-app-calling/index.md"]}],"hide":false,"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"protecting-your-function","__idx":0},"children":["Protecting Your Function"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Sinch Functions can require authentication on any handler. When enabled, callers must provide your project's API key and secret via Basic Auth. This lets you expose HTTP endpoints that only your systems can reach."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"how-it-works","__idx":1},"children":["How it works"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["You mark which handlers require auth (or all of them)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The runtime checks incoming requests for an ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Authorization: Basic"]}," header"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Credentials are validated against ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PROJECT_ID_API_KEY"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PROJECT_ID_API_SECRET"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Invalid or missing credentials get a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["401 Unauthorized"]}," response"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Voice callbacks (ICE, ACE, DiCE, PIE) and health checks are ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["never"]}," auth-gated — they come from the Sinch platform and use webhook signature validation instead."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"declaring-protected-handlers","__idx":2},"children":["Declaring protected handlers"]},{"$$mdtype":"Tag","name":"Tabs","attributes":{"size":"medium"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"label":"Node.js","disable":false},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Export an ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["auth"]}," array with the handler names you want to protect:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"typescript","header":{"controls":{"copy":{}}},"source":"import type { FunctionContext, FunctionRequest } from '@sinch/functions-runtime';\n\n// Protect the 'webhook' handler — callers must authenticate\nexport const auth = ['webhook'];\n\nexport async function webhook(context: FunctionContext, request: FunctionRequest) {\n  // Only reachable with valid credentials\n  return { received: request.body };\n}\n\nexport async function status(context: FunctionContext, request: FunctionRequest) {\n  // No auth required — not listed in the auth array\n  return { ok: true };\n}\n","lang":"typescript"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To protect ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["all"]}," handlers:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"typescript","header":{"controls":{"copy":{}}},"source":"export const auth = '*';\n","lang":"typescript"},"children":[]}]},{"$$mdtype":"Tag","name":"div","attributes":{"label":"C#","disable":false},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Add the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["[Authorize]"]}," attribute to controller actions:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"csharp","header":{"controls":{"copy":{}}},"source":"using Microsoft.AspNetCore.Authorization;\n\npublic class FunctionController : SinchController\n{\n    [Authorize]\n    public IActionResult Webhook()\n    {\n        // Only reachable with valid credentials\n        return Ok(new { received = \"data\" });\n    }\n\n    public IActionResult Status()\n    {\n        // No auth required — no [Authorize] attribute\n        return Ok(new { ok = true });\n    }\n}\n","lang":"csharp"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"credentials","__idx":3},"children":["Credentials"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Auth uses your Sinch project's API key and secret — the same credentials you use with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["sinch auth login"]},". When deployed, these are injected automatically as environment variables:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PROJECT_ID_API_KEY"]}," — your project's API key"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PROJECT_ID_API_SECRET"]}," — your project's API secret"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You don't need to configure anything. The runtime reads these from the environment at startup."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"local-development","__idx":4},"children":["Local development"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["During local development (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["sinch functions dev"]},"), auth is ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["skipped"]}," when credentials aren't configured. This means you can test your handlers without setting up auth locally."]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["If you run ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["sinch functions dev"]}," with a public tunnel"]},", your local server is reachable from the internet for the duration of the dev session. With auth skipped, any endpoint you marked as protected is effectively open to the world during that window. To test auth end-to-end through the tunnel, set the credentials (see below) before starting the dev server."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To test auth locally, set the environment variables before starting dev mode:"]},{"$$mdtype":"Tag","name":"Tabs","attributes":{"size":"medium"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"label":"Node.js","disable":false},"children":[{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"PROJECT_ID_API_KEY=mykey PROJECT_ID_API_SECRET=mysecret sinch functions dev\n","lang":"bash"},"children":[]}]},{"$$mdtype":"Tag","name":"div","attributes":{"label":"C#","disable":false},"children":[{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"PROJECT_ID_API_KEY=mykey PROJECT_ID_API_SECRET=mysecret sinch functions dev\n","lang":"bash"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"testing-with-curl","__idx":5},"children":["Testing with curl"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once auth is enabled (locally with env vars or after deployment):"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"# Authenticated request\ncurl -u YOUR_API_KEY:YOUR_API_SECRET https://your-function-url/webhook\n\n# This is equivalent to:\ncurl -H \"Authorization: Basic $(echo -n 'YOUR_API_KEY:YOUR_API_SECRET' | base64)\" \\\n  https://your-function-url/webhook\n\n# Without credentials — returns 401\ncurl https://your-function-url/webhook\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"whats-not-protected","__idx":6},"children":["What's not protected"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["These endpoints bypass auth regardless of your configuration:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Endpoint"},"children":["Endpoint"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Reason"},"children":["Reason"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Voice callbacks (ICE, ACE, DiCE, PIE)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Validated by webhook signature, not Basic Auth"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Health checks (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/health"]},")"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Used by infrastructure for liveness probes"]}]}]}]}]}]},"headings":[{"value":"Protecting Your Function","id":"protecting-your-function","depth":1},{"value":"How it works","id":"how-it-works","depth":2},{"value":"Declaring protected handlers","id":"declaring-protected-handlers","depth":2},{"value":"Credentials","id":"credentials","depth":2},{"value":"Local development","id":"local-development","depth":2},{"value":"Testing with curl","id":"testing-with-curl","depth":2},{"value":"What's not protected","id":"whats-not-protected","depth":2}],"frontmatter":{"seo":{"title":""}},"lastModified":"2026-04-15T14:23:23.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/docs/functions/guides/protect-your-function","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}