# Public Authentication Public Authentication is designed for Device-to-Server scenarios where the Verification API has to be called in untrusted environment - i.e. mobile application on end user's phone. In such case secret could be extracted from app, and used to send fraudulent traffic. This authentication methods uses additional out of process webhook to authorize API call. Note: Sinch's mobile SDKs support Public Authentication for both [iOS](/docs/verification/ios) and [Android](/docs/verification/android). When a request is received, Verification sends a Verification Request Event to a Callback URL configured in the app settings on the Dashboard. If the callback is not handled, the verification process will be rejected. It's important to correlate callbacks with your business processes to prevent fraud. Below is a pseudocode example of setting up an Authorization header for requests to Sinch: ```shell Authorization = "Application " + ApplicationKey ``` ## Configuring the Callback URL You can configure the Callback URL in the [Sinch Dashboard](https://dashboard.sinch.com/verification/apps) for each application. ![sinch-dashboard](/assets/dashboard-callback-url-border.a275f7895b73eb87b6a9ce0c12fd21ceb9eb31bde83c226b27b271554df89598.68825967.png) ## Verifying the Callback Callbacks sent to your backend are signed by Verification. See [Callback Request Signing](/docs/verification/api-reference/authentication/callback-signed-request) for details. Warning! Always verify that the callback is from Sinch by checking its signature. ## Responding to the Callback When your backend receives a callback, you **must**: 1. Correlate it with your business process - do not respond "Allow" to all messages. 2. Decide whether to allow or deny the verification. Warning! Improper or careless callback setup can expose you to fraud and attacks like Artificial Inflation of Traffic (AIT). AIT generates fake traffic, increasing costs and compromising security. For details on callback request and response schemas, refer to the [Verification Callbacks section](/docs/verification/api-reference/verification/verification-callbacks/verificationrequestevent).