> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mnai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication overview

> Learn when Meridian Accounts uses partner HMAC authentication versus Meridian JWT bearer authentication.

Meridian Accounts uses two authentication layers that serve different purposes:

* **Partner HMAC authentication** proves that your backend is an entitled Meridian integrator
* **JWT bearer authentication** carries Meridian user context after a token has already been minted

These are not competing end-user options. In a typical integration, your backend first authenticates with partner credentials and HMAC, then receives a Meridian access token, and later uses that JWT on behalf of the target user.

## Which authentication method to use

Use this decision tree for each request:

* If your backend is calling Meridian directly with your partner API Key and Secret, use [server-to-server authentication with HMAC](/products/meridian-accounts/guides/server-to-server-authentication-with-hmac)
* If you already have a Meridian access token and are making a user-scoped API call, use [client-server authentication with JWT](/products/meridian-accounts/guides/client-server-authentication-with-jwt)

## Authentication matrix

| Scenario                        | Caller                | Credential type                   | Required auth fields                                                                                                                     | Typical endpoints                                                        |
| :------------------------------ | :-------------------- | :-------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------- |
| Backend proves partner identity | Your server           | Meridian API Key + HMAC signature | `X-Meridian-Api-Key`, `X-Meridian-Program-Id`, `X-Meridian-Timestamp`, `X-Meridian-Signature`, and `X-Meridian-User-Id` for `MULTI_USER` | `POST /v1/auth/token`, partner-key endpoints supported by the API        |
| User-scoped API access          | Your client or server | Meridian bearer token             | `Authorization: Bearer {token}`                                                                                                          | `GET /v1/enrollment`, `GET /v1/virtual-accounts`, `GET /v1/transactions` |

## How the flow fits together

1. Your backend sends a partner-authenticated request signed with HMAC.
2. Meridian issues a JWT access token for the target user.
3. Your client or backend uses `Authorization: Bearer {token}` on later API requests.

Keep your Meridian API Secret on the server only. Do not try to generate HMAC signatures from a browser or mobile client.

## Related guides

* [Choose your integration model](/products/meridian-accounts/guides/choose-your-integration-model)
* [Server-to-server authentication with HMAC](/products/meridian-accounts/guides/server-to-server-authentication-with-hmac)
* [Client-server authentication with JWT](/products/meridian-accounts/guides/client-server-authentication-with-jwt)
