Authentication overview

Sinch provides a suite of APIs for integrating messaging, voice, and video capabilities into applications. Secure access to these APIs is managed through specific authentication mechanisms, ensuring that only authorized requests are processed. The choice of authentication method depends on the specific Sinch API endpoint being accessed, with the majority of modern services utilizing token-based authentication derived from OAuth 2.0 principles. This approach helps protect user data and maintain the integrity of communication channels.

Authentication for Sinch APIs generally involves generating and managing credentials within the Sinch Dashboard. These credentials, such as application keys, secrets, and API tokens, are then used to sign API requests, typically by including them in the HTTP headers. Secure handling and storage of these credentials are critical to prevent unauthorized access to communication services and potential misuse of an application's Sinch account.

Supported authentication methods

Sinch supports two primary authentication methods for its APIs: Bearer Token (OAuth 2.0) and Basic Authentication. The recommended method for most new integrations and modern APIs is Bearer Token authentication, which offers a more robust and flexible security model. Basic Authentication is primarily used for specific, often older, API endpoints or particular SDK integrations.

Bearer Token Authentication (OAuth 2.0)

Bearer Token authentication is the standard and recommended method for accessing most Sinch APIs, including the SMS, Voice, and Verify APIs. This method adheres to the OAuth 2.0 framework, where an application obtains an access token (the "Bearer Token") and includes it in the Authorization header of HTTP requests. The token grants access to specific resources without exposing the original credentials. Developers create an Application Key and Application Secret in the Sinch Dashboard, which are then used to generate a JWT (JSON Web Token) that acts as the Bearer Token for subsequent API calls. The token typically has a limited lifespan and must be refreshed periodically to maintain authenticated access. For a deeper understanding of token-based authentication, the OAuth 2.0 specification outlines the underlying principles.

Basic Authentication

Basic Authentication is a simpler method primarily used for certain legacy Sinch API endpoints or specific client libraries, such as the older SMS API versions or some SDKs. With Basic Authentication, the client sends a username and password (or an equivalent pair like a Service Plan ID and API Token) with each request, encoded in Base64 and included in the Authorization header. While simpler to implement, it's generally less secure than Bearer Token authentication because the credentials are sent with every request and are susceptible if the communication channel is not properly secured with TLS. Sinch documentation provides specific guidance on when to use Basic Authentication for particular Sinch API endpoints.

Authentication methods overview

Method When to use Security Level Credential Type
Bearer Token (OAuth 2.0) Most modern Sinch APIs (SMS, Voice, Verify, etc.) High (token-based, short-lived) Application Key & Secret (to generate JWT bearer token)
Basic Authentication Specific legacy endpoints or older SDK integrations Moderate (requires TLS for full security) Service Plan ID & API Token

Getting your credentials

Accessing Sinch APIs requires specific credentials, which are managed and generated within the Sinch Developer Dashboard. The process for obtaining credentials varies slightly depending on whether you need an Application Key/Secret for Bearer Token authentication or a Service Plan ID/API Token for Basic Authentication.

For Bearer Token Authentication (Application Key and Secret)

  1. Create a Sinch Account: If you don't have one, register for an account on the Sinch website.
  2. Navigate to your Dashboard: Log in to the Sinch Developer Dashboard.
  3. Create an Application: Go to the "Applications" section and create a new application. This action generates a unique Application Key and Application Secret.
  4. Store Credentials Securely: The Application Secret is typically shown only once upon creation. It is crucial to copy and store it immediately in a secure location. If lost, you may need to regenerate it, which can invalidate existing integrations.
  5. Configure Capabilities: Ensure your application is configured with the necessary capabilities (e.g., SMS, Voice) to match the APIs you intend to use.

For Basic Authentication (Service Plan ID and API Token)

  1. Access the Dashboard: Log in to your Sinch Developer Dashboard.
  2. Find Service Plan Details: Navigate to the relevant service or project section where your Service Plans are managed.
  3. Retrieve API Token: Within the Service Plan settings, you will find your Service Plan ID and an associated API Token. These are used together for Basic Authentication.
  4. Secure Storage: Similar to Application Secrets, API Tokens should be treated as highly sensitive data and stored securely.

For detailed, step-by-step instructions, refer to the official Sinch developer documentation on setting up applications and credentials.

Authenticated request example

This example demonstrates how to make an authenticated request to the Sinch SMS API using a Bearer Token (JWT). The JWT is generated using your Application Key and Application Secret, and then included in the Authorization header.

Generating the JWT (Node.js example)


const jwt = require('jsonwebtoken');

const applicationKey = 'YOUR_APPLICATION_KEY';
const applicationSecret = 'YOUR_APPLICATION_SECRET';

const payload = {
  "iss": applicationKey,
  "iat": Math.floor(Date.now() / 1000),
  "exp": Math.floor(Date.now() / 1000) + (60 * 60) // Token expires in 1 hour
};

const token = jwt.sign(payload, Buffer.from(applicationSecret, 'base64'));
console.log(token);

Making an API Request with the Bearer Token (cURL example)

Once you have generated your JWT (YOUR_GENERATED_JWT), you can send an SMS using the Sinch SMS API:


curl -X POST 'https://us.sms.api.sinch.com/xms/v1/YOUR_SERVICE_PLAN_ID/batches'
  -H 'Content-Type: application/json'
  -H 'Authorization: Bearer YOUR_GENERATED_JWT'
  -d '{
    "to": ["+1234567890"],
    "from": "+1123456789",
    "body": "Hello from Sinch!"
  }'

Replace YOUR_SERVICE_PLAN_ID, YOUR_GENERATED_JWT, +1234567890 (recipient), and +1123456789 (sender) with your actual values. This example uses the SMS API endpoint, but similar principles apply to other Sinch APIs that use Bearer Token authentication.

Security best practices

Securing your Sinch API credentials and ensuring the integrity of your API calls is paramount for protecting your application and user data. Adhering to these best practices will help mitigate common security risks.

  • Never hardcode credentials: Avoid embedding API keys, secrets, or tokens directly in your source code. Use environment variables, configuration files, or secure secrets management services (e.g., AWS Secrets Manager, Google Cloud Secret Manager, Azure Key Vault) to retrieve credentials at runtime. This practice prevents exposing sensitive data if your code repository is compromised.
  • Use environment variables: Store API keys and secrets in environment variables when deploying applications to production or development environments. This isolates credentials from your codebase and allows for easy rotation without code changes.
  • Implement credential rotation: Regularly rotate your Application Secrets and API Tokens. Frequent rotation limits the window of exposure if a credential is ever compromised. Sinch provides mechanisms in the dashboard to regenerate these credentials.
  • Restrict IP addresses: If your application has a static outbound IP address, configure API access restrictions in the Sinch Dashboard to only allow requests originating from these whitelisted IPs. This adds an extra layer of security by preventing unauthorized access attempts from unknown locations.
  • Use TLS/SSL for all communications: Always ensure that all your API requests to Sinch are made over HTTPS (TLS/SSL). This encrypts data in transit, protecting your credentials and message content from eavesdropping. Sinch API endpoints inherently enforce HTTPS, but it's crucial to confirm your client-side implementation also uses it. The IETF's TLS 1.3 specification details the latest security enhancements for transport layer security.
  • Scope API permissions: When creating applications or service plans, grant only the minimum necessary permissions required for your application to function. For example, if your application only sends SMS, do not grant it Voice API permissions. This principle of least privilege limits the potential damage if an API key is compromised.
  • Secure your development environment: Ensure that your local development machines and staging environments are also secured, as credentials used there could be vulnerable. Avoid storing production credentials on development machines.
  • Monitor API usage: Regularly review your Sinch API usage logs for any unusual activity or spikes that could indicate unauthorized access or misuse. Set up alerts for unexpected patterns to react quickly to potential security incidents.
  • Error handling and logging: Implement robust error handling for API authentication failures without exposing sensitive information in public-facing error messages. Log authentication attempts and failures securely for auditing purposes.