# Understanding Amazon Chime SDK messaging architecture
<a name="messaging-architecture"></a>

You can use Amazon Chime SDK messaging as a server-side and a client-side SDK. The server-side APIs create an `AppInstance` and `AppInstanceUser`. You can use various hooks and configurations to add application specific business logic and validation. For more information about doing that, see [Streaming messaging data in Amazon Chime SDK messaging](streaming-export.md). Additionally, server-side processes can call APIs on behalf of an `AppInstanceUser`, or control a dedicated `AppInstanceUser` that represents back-end processes.

Client-side applications represented as an `AppInstanceUser` can call the Amazon Chime SDK messaging APIs directly. Client-side applications use the WebSocket protocol to connect to the messaging SDK when they are online. When connected, they receive real-time messages from any channel that they are a member of. When disconnected, an `AppInstanceUser` still belongs to the channels it was added to, and it can load the message history of those channels by using the SDK's HTTP based APIs.

Client-side applications have permissions to make API calls as a single `AppInstanceUser`. To scope IAM credentials to a single `AppInstanceUser`, client side applications assume a parameterized IAM role via AWS Cognito Identity Pools, or by a small self-hosted back-end API. For more information about authentication, see [Authenticating end-user client applications for Amazon Chime SDK messaging](auth-client-apps.md). In contrast, server side applications typically have permissions tied to a single app instance user, such as a user with administrative permissions, or they have permissions to make API calls on behalf of all app instance users.