# Authentication

This document explains the available authentication methods and their use cases.

# Authentication types

The Sinch Verification API supports two Server-to-Server authentication methods: [Application Signed Requests](/docs/verification/api-reference/authentication/application-signed-request) and [Basic Authentication](/docs/verification/api-reference/authentication/basic-authentication). It should be used with our Node, .NET, Java and Python SDKs.

[Public Authentication](/docs/verification/api-reference/authentication/public-authentication) is an additional method for SDK-based Device-to-Server scenarios. It requires more setup, and allows you to make requests from untrusted environment (i.e. end user device). It should be used with iOS and Android SDKs, or in any case where you cannot secure application credentials.

# Use cases

## Server-to-Server

In this scenario, verifications are initiated from your backend, allowing for stronger authentication since secrets are securely managed.

Use [Application Signed Requests](/docs/verification/api-reference/authentication/application-signed-request) in production. For prototyping, use [Basic Authentication](/docs/verification/api-reference/authentication/basic-authentication).

## Device-to-Server

In this scenario, verifications are initiated from an untrusted mobile device, so secrets must not be stored on the device. Use the Sinch SDK for your platform, which applies [Public Authentication](/docs/verification/api-reference/authentication/public-authentication) to protect secrets. Verification callbacks are required to validate requests and prevent fraud. See the [callback documentation](/docs/verification/api-reference/verification/verification-callbacks/) for details.