Enable Bearer authentication for an HTTP trigger - Function Compute

In Function Compute, you can configure Bearer authentication for HTTP triggers to allow authorized users to access your functions in a simple and secure way.

Background information

Function Compute supports Bearer authentication for HTTP triggers. In Bearer authentication, you configure token information that allows access to functions in the Function Compute console. When clients initiate access, they include valid token information through the Authorization Header. When the token data in the access request matches the token data configured on the trigger, the function can be successfully accessed.

Prerequisites

You create a function and an HTTP trigger. For more information, see Create a function and Configure an HTTP trigger.

Limits

Each token name must be unique within a single trigger, with a maximum length of 128 characters. It can only contain letters, digits, underscores, and hyphens. It cannot start with a digit or hyphen (-).
The value of each token must be between 32 and 128 characters in length, and can only contain standard Base64 characters 'A-Z', 'a-z', '0-9', '+', '/', '=', '-', '~', '.'.
Each HTTP trigger allows between 1 and 20 tokens to be configured.
Token values should be different across different triggers and within the same trigger. Avoid using common combinations as token values to prevent security issues caused by overly simple token data.
For Bearer authentication, use the HTTPS protocol in production environments. The HTTP protocol should only be used for development and testing. FC is not responsible for security issues caused by token leakage when using the HTTP protocol.
Function Compute is only responsible for storing and verifying the token information you configure. You are responsible for token management. Please rotate tokens that have been leaked or proven insecure in a timely manner. Also, proactively rotate tokens that have been used for an extended period.

Procedure

Step 1: Configure Bearer authentication

Log on to the Function Compute console. In the left-side navigation pane, click Functions.
In the top navigation bar, select a region. On the Functions page, click the function that you want to manage.
On the function details page, click the Triggers tab. Then, in the Actions column of the HTTP trigger, click Edit.

In the Edit Trigger panel, configure the following settings, and then click OK.

Set Authentication Method to Bearer Authentication and Token Type to Opaque. In the Authentication Token section, set tokenData to your token value.

To disable a token, set the enable field to false.

To configure multiple tokens, use the following format:

{
    "tokens": [
        {
            "enable": true,
            "tokenData": "token-8g7f2a2c9fc23hid82593421g995",
            "tokenName": "tokenName-20i"
        },
         {
            "enable": true,
            "tokenData": "token-8g7f2a2c9fc23hid82593421g995",
            "tokenName": "tokenName-20i"
        }
    ]
}

Step 2: Verify the operation

You can use the curl tool to initiate verification by including the Authorization Header.

curl --data your-data -X access-method -H "Authorization: Bearer your-token-data" https://your-http-trigger-address

Sample value:

curl  -X  POST -H "Authorization: Bearer token-c9e25351******" https://******.cn-hangzhou.fcapp.run

FAQ

Why do I receive the message "Authorization header is expected but missing" when accessing the endpoint after enabling Bearer authentication?
This message indicates that the request to the HTTP trigger does not include an Authorization header. Please add Authorization information to your request.
Why do I receive the message "access denied due to invalid bearer token" when accessing the endpoint after enabling Bearer authentication?
This message indicates that the request to the HTTP trigger does not include valid token information. Please check whether the token data is transmitted correctly. The token data comes from the tokenData value.
Will enabling Bearer authentication incur additional fees?
No, you are not charged for JWT authentication. The gateway-related features provided by Function Compute are charged as part of the function invocation count, so whether you enable Bearer authentication or not, no additional fees will be incurred.