Alibaba Cloud API Gateway provides multiple authentication methods for client requests, including Alibaba Cloud App authentication, JWT plug-ins, and third-party authorization. For Alibaba Cloud App authentication, you can choose between two methods: signature authentication and simple authentication (AppCode). This topic describes how to use simple authentication (AppCode).
Precautions
Simple authentication eliminates the need for complex signing processes. However, it transmits the AppCode in plaintext over the network, which creates a security risk.
You must use HTTPS for communication between the client and API Gateway. Avoid using HTTP for data transmission. Because simple authentication transmits the AppCode in plaintext, using the unencrypted HTTP protocol creates a high risk of the AppCode being compromised if network packets are intercepted.
Overview
-
For information about signature authentication, see Call an API by using signature authentication.
-
Simple authentication (AppCode) authenticates clients using an
AppCodeissued by API Gateway. The client includes theAppCodein the request header or as aquery parameterfor authentication. This allows you to quickly call anAPI.-
Create an API that uses simple authentication (AppCode).
-
Create an app to obtain an
AppCode. -
Authorize the app to call the API.
-
Use the
AppCodeissued by API Gateway for authentication.
-
Create an API for AppCode authentication
-
Log on to the API Gateway console. In the left-side navigation pane, choose API Management > API Groups. On the API Groups page, click Create Group in the upper-right corner.
-
On the Create Group page, select your API Gateway instance from the Instance drop-down list, enter a Group Name and a BasePath, and then click OK.
-
In the left-side navigation pane, choose . On the APIs page, click Create API in the upper-right corner.
-
On the Create API page, in the Basic Information section, select the Group that you created. Enter an API Name. For Security Authentication, select Alibaba Cloud App. For AppCode Authentication, select Enable AppCode Authentication (Header) or Enable AppCode Authentication (Header & Query).
The following table describes the options for AppCode authentication.
Option
Description
Enable After Publishing to Alibaba Cloud Marketplace
This option is disabled by default. If the API is published to Alibaba Cloud Marketplace, you can enable this option to allow AppCode authentication in the request header.
Disable AppCode Authentication
AppCode authentication is disabled. All API calls must use signature authentication, regardless of whether the API is published to Alibaba Cloud Marketplace.
Enable AppCode Authentication (Header)
AppCode authentication is enabled. The AppCode can only be passed in the request header, regardless of whether the API is published to Alibaba Cloud Marketplace.
Enable AppCode Authentication (Header & Query)
AppCode authentication is enabled. The AppCode can be passed in the request header or as a query parameter, regardless of whether the API is published to Alibaba Cloud Marketplace.
-
Select a Signature Algorithm and click Next.
-
In the Define API Request step, configure the API request. For more information, see Define an API request. Then, click Next.
-
In the Define Backend Service step, configure the backend service. For more information, see Define backend service information. Then, click Next.
-
In the Define Response step, configure the response. For more information, see Define a response. Then, click Save.
-
When you define API parameters, you do not need to add a parameter for the
AppCode. -
After creating the API, you can publish it to an environment for debugging.
Create an app
-
Log on to the API Gateway console. In the left-side navigation pane, choose . On the Apps page, click Create App in the upper-right corner.
-
In the Create App dialog box, enter an App Name and click OK.
-
An
AppCodeis automatically generated for each new app. To find the AppCode, go to the Apps page and click an app name to open its App Details page. -
When Alibaba Cloud Marketplace users purchase an API, an app is automatically created for them.
Authorize an app to use an AppCode API
-
Log on to the API Gateway console. In the left-side navigation pane, choose . On the APIs page, find the API that you created and, in the Actions column, click
and then click Authorize. -
In the authorization dialog box, select the Stage and set the Authorization Validity Period. Under Select Apps for Authorization, find the My Apps section and click Search to view the apps in your account. Select the desired app, click Add, and then click OK.
Authenticate using an AppCode
You can provide the AppCode in two ways: in the request header or as a query parameter.
Method 1: Pass AppCode in the header
-
Add an
Authorizationparameter to therequest header. -
The value of the
Authorizationfield must start withAPPCODE, followed by a space and the AppCode value. Format:Authorization:APPCODEExample:
Authorization:APPCODE 3F2504E04F8911D39A0C0305E82C3301ImportantIf the backend service is an HTTP function, the
Authorizationheader is not passed to the backend service. TheAuthorizationparameter of the HTTP function overwrites it. Therefore, we recommend passing the AppCode as a query parameter.
Method 2: Pass AppCode as a query parameter
-
Add an
AppCodeparameter to the requestquery. The parameter name is case-insensitive. You can useappcode,appCode,APPCODE, orAPPCode. -
The value of the
AppCodeparameter is yourAppCodevalue.
Example:
http://?AppCode=3F2504E04F8911D39A0C0305E82C3301