All Products
Search
Document Center

API Gateway:Call an API using simple authentication (AppCode)

Last Updated:Jun 21, 2026

Alibaba Cloud API Gateway provides multiple authentication methods for client requests, including Alibaba Cloud App authentication, JWT plug-ins, and third-party authorization. For Alibaba Cloud App authentication, you can choose between two methods: signature authentication and simple authentication (AppCode). This topic describes how to use simple authentication (AppCode).

Precautions

Simple authentication eliminates the need for complex signing processes. However, it transmits the AppCode in plaintext over the network, which creates a security risk.

Important

You must use HTTPS for communication between the client and API Gateway. Avoid using HTTP for data transmission. Because simple authentication transmits the AppCode in plaintext, using the unencrypted HTTP protocol creates a high risk of the AppCode being compromised if network packets are intercepted.

Overview

  • For information about signature authentication, see Call an API by using signature authentication.

  • Simple authentication (AppCode) authenticates clients using an AppCode issued by API Gateway. The client includes the AppCode in the request header or as a query parameter for authentication. This allows you to quickly call an API.

    1. Create an API that uses simple authentication (AppCode).

    2. Create an app to obtain an AppCode.

    3. Authorize the app to call the API.

    4. Use the AppCode issued by API Gateway for authentication.

Create an API for AppCode authentication

  1. Log on to the API Gateway console. In the left-side navigation pane, choose API Management > API Groups. On the API Groups page, click Create Group in the upper-right corner.

  2. On the Create Group page, select your API Gateway instance from the Instance drop-down list, enter a Group Name and a BasePath, and then click OK.

  3. In the left-side navigation pane, choose API Management > APIs. On the APIs page, click Create API in the upper-right corner.

  4. On the Create API page, in the Basic Information section, select the Group that you created. Enter an API Name. For Security Authentication, select Alibaba Cloud App. For AppCode Authentication, select Enable AppCode Authentication (Header) or Enable AppCode Authentication (Header & Query).

    The following table describes the options for AppCode authentication.

    Option

    Description

    Enable After Publishing to Alibaba Cloud Marketplace

    This option is disabled by default. If the API is published to Alibaba Cloud Marketplace, you can enable this option to allow AppCode authentication in the request header.

    Disable AppCode Authentication

    AppCode authentication is disabled. All API calls must use signature authentication, regardless of whether the API is published to Alibaba Cloud Marketplace.

    Enable AppCode Authentication (Header)

    AppCode authentication is enabled. The AppCode can only be passed in the request header, regardless of whether the API is published to Alibaba Cloud Marketplace.

    Enable AppCode Authentication (Header & Query)

    AppCode authentication is enabled. The AppCode can be passed in the request header or as a query parameter, regardless of whether the API is published to Alibaba Cloud Marketplace.

  5. Select a Signature Algorithm and click Next.

  6. In the Define API Request step, configure the API request. For more information, see Define an API request. Then, click Next.

  7. In the Define Backend Service step, configure the backend service. For more information, see Define backend service information. Then, click Next.

  8. In the Define Response step, configure the response. For more information, see Define a response. Then, click Save.

Note
  • When you define API parameters, you do not need to add a parameter for the AppCode.

  • After creating the API, you can publish it to an environment for debugging.

Create an app

  1. Log on to the API Gateway console. In the left-side navigation pane, choose API Call > Apps. On the Apps page, click Create App in the upper-right corner.

  2. In the Create App dialog box, enter an App Name and click OK.

Note
  • An AppCode is automatically generated for each new app. To find the AppCode, go to the Apps page and click an app name to open its App Details page.

  • When Alibaba Cloud Marketplace users purchase an API, an app is automatically created for them.

Authorize an app to use an AppCode API

  1. Log on to the API Gateway console. In the left-side navigation pane, choose API Management > APIs. On the APIs page, find the API that you created and, in the Actions column, click image and then click Authorize.

  2. In the authorization dialog box, select the Stage and set the Authorization Validity Period. Under Select Apps for Authorization, find the My Apps section and click Search to view the apps in your account. Select the desired app, click Add, and then click OK.

Authenticate using an AppCode

You can provide the AppCode in two ways: in the request header or as a query parameter.

Method 1: Pass AppCode in the header

  • Add an Authorization parameter to the request header.

  • The value of the Authorization field must start with APPCODE, followed by a space and the AppCode value. Format:

    Authorization:APPCODE 

    Example:

    Authorization:APPCODE 3F2504E04F8911D39A0C0305E82C3301
    Important

    If the backend service is an HTTP function, the Authorization header is not passed to the backend service. The Authorization parameter of the HTTP function overwrites it. Therefore, we recommend passing the AppCode as a query parameter.

Method 2: Pass AppCode as a query parameter

  • Add an AppCode parameter to the request query. The parameter name is case-insensitive. You can use appcode, appCode, APPCODE, or APPCode.

  • The value of the AppCode parameter is your AppCode value.

Example:

http://?AppCode=3F2504E04F8911D39A0C0305E82C3301