Implementing authentication

I saw a few questions related to this but nothing I found quite answered my question. We are experimenting with the nRF9161 DK, and we need to securely identify which device in our fleet is making the API call. We thought about implementing mTLS ourselves at the application layer, but we wanted to know if nRF Cloud has any built-in mechanism identify and validate devices (i.e., whether the API call is "legitimate"). For example, can I use the device's identity to "sign" an API call, and then validate that API call signature in our backend cloud application to verify whether it is actually a "real" device that belongs to our fleet? (We are NOT using MQTT or Azure/AWS IoT Hub -- this is a backend API that would be accessed over HTTPS.) If not, any other suggestions for implementing machine authentication other than implementing everything ourselves?

Related