***

title: AuthHandler
slug: /reference/typescript/agents/configuration/auth-handler
description: Multi-method authentication handler with timing-safe credential comparison.
max-toc-depth: 3
---------------------

For a complete index of all SignalWire documentation pages, fetch https://signalwire.com/docs/llms.txt

[validate]: /docs/server-sdks/reference/typescript/agents/configuration/auth-handler/validate

[middleware]: /docs/server-sdks/reference/typescript/agents/configuration/auth-handler/middleware

[hasbearerauth]: /docs/server-sdks/reference/typescript/agents/configuration/auth-handler/has-bearer-auth

[hasapikeyauth]: /docs/server-sdks/reference/typescript/agents/configuration/auth-handler/has-api-key-auth

[hasbasicauth]: /docs/server-sdks/reference/typescript/agents/configuration/auth-handler/has-basic-auth

`AuthHandler` provides a unified authentication layer supporting Bearer tokens,
API keys, and HTTP Basic Auth. All credential comparisons use constant-time
algorithms to prevent timing attacks. It can be used as Hono middleware or as a
standalone request validator.

```typescript {3-6}
import { AuthHandler } from '@signalwire/sdk';

const auth = new AuthHandler({
  bearerToken: 'my-secret-token',
  apiKey: 'my-api-key',
});
```

## **Constructor**

<ParamField path="config" type="AuthConfig" required={true} toc={true}>
  Authentication configuration object with the following optional fields:
</ParamField>

<Indent>
  <ParamField path="config.bearerToken" type="string" toc={true}>
    Bearer token matched against the `Authorization: Bearer <token>` header.
  </ParamField>

  <ParamField path="config.apiKey" type="string" toc={true}>
    API key matched against the `X-Api-Key` header.
  </ParamField>

  <ParamField path="config.basicAuth" type="[string, string]" toc={true}>
    Basic auth credentials as a `[username, password]` tuple.
  </ParamField>

  <ParamField path="config.customValidator" type="(request: { headers, method, url }) => boolean | Promise<boolean>" toc={true}>
    Custom validator function. Return `true` to allow the request.
  </ParamField>

  <ParamField path="config.allowUnauthenticated" type="boolean" toc={true}>
    When explicitly set to `false`, deny requests if no auth methods are configured.
    By default, unauthenticated access is allowed when no methods are set.
  </ParamField>
</Indent>

## **Methods**

<CardGroup cols={3}>
  <Card title="validate" href="/docs/server-sdks/reference/typescript/agents/configuration/auth-handler/validate">
    Validate request headers against all configured auth methods.
  </Card>

  <Card title="middleware" href="/docs/server-sdks/reference/typescript/agents/configuration/auth-handler/middleware">
    Create a Hono-compatible middleware that rejects unauthorized requests.
  </Card>

  <Card title="hasBearerAuth" href="/docs/server-sdks/reference/typescript/agents/configuration/auth-handler/has-bearer-auth">
    Check whether Bearer token authentication is configured.
  </Card>

  <Card title="hasApiKeyAuth" href="/docs/server-sdks/reference/typescript/agents/configuration/auth-handler/has-api-key-auth">
    Check whether API key authentication is configured.
  </Card>

  <Card title="hasBasicAuth" href="/docs/server-sdks/reference/typescript/agents/configuration/auth-handler/has-basic-auth">
    Check whether Basic authentication is configured.
  </Card>
</CardGroup>

## **Example**

```typescript {4-7,10}
import { AuthHandler } from '@signalwire/sdk';

const auth = new AuthHandler({
  bearerToken: process.env.AUTH_TOKEN,
  basicAuth: ['admin', 'secret'],
  apiKey: process.env.API_KEY,
});

// Check which methods are configured
console.log('Bearer:', auth.hasBearerAuth());   // true
console.log('API Key:', auth.hasApiKeyAuth());   // true
console.log('Basic:', auth.hasBasicAuth());      // true

// Validate incoming request headers
const isValid = await auth.validate({
  authorization: 'Bearer my-secret-token',
});
console.log('Valid:', isValid);
```