> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Upstream Authentication
> Authenticating Tyk Gateway with upstream services
## Introduction
Tyk Gateway sits between your clients and your services, securely routing requests and responses. For each API proxy that you expose on Tyk, you can configure a range of different methods that clients must use to identify (authenticate) themselves to Tyk Gateway. These are described in detail in the [Client Authentication](/5.12/api-management/client-authentication) section.
In the same way as you use Client Authentication to securely confirm the identity of the API clients, your upstream services probably need to securely confirm the identity of their client - namely Tyk. This is where Tyk's flexible **Upstream Authentication** capability comes in.
When using Tyk, you can choose from a range of authentication methods for each upstream API:
* [Mutual TLS](/5.12/api-management/upstream-authentication/mtls)
* [Token-based authentication](/5.12/api-management/upstream-authentication/auth-token)
* [Request signing](/5.12/api-management/upstream-authentication/request-signing)
* [Basic Authentication](/5.12/api-management/upstream-authentication/basic-auth)
* [OAuth 2.0](/5.12/api-management/upstream-authentication/oauth)
* [OAuth 2.0 Client Credentials](/5.12/api-management/upstream-authentication/oauth#oauth-client-credentials)
* [OAuth 2.0 Password Grant](/5.12/api-management/upstream-authentication/oauth#oauth-resource-owner-password-credentials)
Upstream Basic Authentication and OAuth 2.0 support are only available to licensed users, via the Tyk Dashboard. These features are not available to open source users.
Note that OAuth 2.0 Password Grant is prohibited in the [OAuth 2.0 Security Best Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13#section-3.4") but is supported by Tyk for use with legacy upstream services.