All Products
Search
Document Center

API Gateway:Call an API in simple authentication mode

Last Updated:Jan 03, 2024

API Gateway provides three ways for you to authenticate your API callers: AppCodes, JSON Web Token (JWT) plug-ins, and third-party authentication plug-ins. AppCodes can be used in two authentication modes: signature-based authentication and simple authentication.

1. Overview

For information about the signature-based authentication mode, see Use digest authentication to call an API.

This topic describes how to configure the simple authentication mode and call an API based on this authentication mode. Simple authentication is much easier to implement than signature-based authentication because simple authentication does not involve the complex process of signature calculation. Simple authentication requires only an AppCode that is automatically issued by API Gateway to an application. Your callers must add the AppCode in the header or as a query parameter to a request to call your API. The following process describes how simple authentication works:

  1. When you create an API, you select Alibaba Cloud App for the Security Authentication parameter and Enable AppCode Authentication (Header & Query) for the AppCode Authentication parameter. By default, all APIs in Alibaba Cloud Marketplace support AppCode authentication.

  2. Your caller creates an application in the API Gateway console. If you purchase an API in Alibaba Cloud Marketplace, Alibaba Cloud Marketplace creates an application for the API.

  3. You authorize the application to call your API. For more information, see Create an API with a backend service of the HTTP type.

  4. The API caller logs on to the API Gateway console, chooses Call API > Apps, clicks their application, and uses the AppCode and AppSecret for signature-based authentication or simply uses the AppCode for simple authentication.

2. Create an API that supports simple authentication

  1. In the Basic Information step of the Create API wizard, select Alibaba Cloud App for the Security Authentication parameter.

  2. Select a value for the AppCode Authentication parameter.

The following items describe the optional values:

  • Enable After API Publish to Alibaba Cloud Marketplace: AppCode authentication is disabled by default. If the API is published in Alibaba Cloud Marketplace, AppCode authentication is enabled, and API callers must add the AppCode to their requests to call the API.

  • Disable AppCode Authentication: AppCode authentication is disabled regardless of whether the API is published in Alibaba Cloud Marketplace. API callers must add a signature to their requests to call the API.

  • Enable AppCode Authentication (Header): AppCode authentication is enabled regardless of whether the API is published in Alibaba Cloud Marketplace. However, API callers must add the AppCode to the Headers section of their requests to call the API.

  • Enable AppCode Authentication (Header & Query): AppCode authentication is enabled regardless of whether the API is published in Alibaba Cloud Marketplace. API callers can add the AppCode to the Headers section or the Query section of their requests to call the API.

Note: In the Define API Request step, you do not need to define any parameter that carries the AppCode.

3. Call the API by using simple authentication

After you enable AppCode authentication for your API, your caller can call your API in simple authentication mode. This section describes how to do so. Your caller can choose to add the AppCode in the Headers section or the Query section to their requests.

3.1 Add the AppCode in the Headers section

  • Add a parameter named Authorization to the Headers section of an API request.

  • The value of the Authorization parameter must be specified in the "APPCODE AppCode value" format.

Format:

Authorization:APPCODE AppCode value

Example:

Authorization:APPCODE 3F2504E04F8911D39A0C0305E82C3301
Important

If the backend service is an HTTP function, the Authorization parameter is not passed to the backend service. Instead, the parameter is overwritten by the Authorization parameter of the HTTP function. We recommend that you place AppCodes in the Query section.

3.2 Place the AppCode in the Query section

  • Add the AppCode as a Query parameter of an API request. The name of the parameter can be appcode, appCode, APPCODE, or APPCode.

  • The value of the parameter is the AppCode value.

Example:

http://www.aliyum.com?AppCode=3F2504E04F8911D39A0C0305E82C3301

4. Risk warning

Simple authentication is easy to use. However, transmitting the AppCode in plaintext on networks is a risky operation.

Make sure that HTTPS communication is used between the client and API Gateway. Do not transmit data over HTTP. In simple authentication mode, AppCodes are transmitted in plaintext. If you use the unencrypted HTTP protocol, AppCodes transmitted in plaintext can be easily obtained by attackers who capture packets.