Authentication
SheerID recommends creating every verification from your authenticated backend. This page explains why, and shows the two ways to require authentication so verification IDs can only originate from you.
Authenticate by default
SheerID recommends that every verification be created from your authenticated backend, using an OAuth bearer token. Creating verifications from a server you control — rather than letting the form mint them on load — keeps verification IDs inside a closed loop that only you can initiate.
The fully public flow (where the form creates the verification with no token) still exists and is the default for standard form embeds, but it is the exception we recommend moving away from for any integration that can pre-generate verifications.
Why authenticate verification creation
- Prevent offer abuse. When creation requires a token, bad actors can no longer generate verification IDs on their own to probe or spoof your verification flow.
- Data integrity. Every verification in your system provably originated from your own secure environment.
- Access management. Only authorized requests can start a new verification session, which also satisfies stricter security policies some organizations require.
Choose your path
| If you… | Use | How |
|---|---|---|
| Call the REST API directly from a backend | API Token Policy | Require a token on all endpoints — see API Tokens |
| Use a hosted or JavaScript-library form but want secure creation | API Access Control | Pre-generate the verificationId, then redirect to the form — see Secure Verification Creation |
| Just need a token to call a protected endpoint | OAuth dynamic token | Generate a dynamic token |
Getting a token
SheerID uses the OAuth 2.0 Client Credentials grant: your application exchanges a Client ID and
Client Secret for a short-lived bearer token, then sends that token as an Authorization: Bearer
header on API calls. For the full walkthrough — generating static and dynamic tokens, and using them —
see API Tokens.
Enabling these protections
The API Token Policy and API Access Control settings are enabled by SheerID on your account or program. To turn either on, contact your SheerID account team.
Next steps
- API Tokens — generate and use OAuth tokens.
- Secure Verification Creation — pre-generate verifications and redirect to the hosted form.
- REST API tutorial — run a verification end-to-end.