All Products
Search

This Product

    API Gateway:Consumer authentication

    Document Center

    API Gateway:Consumer authentication

    Last Updated:Dec 03, 2025

    Agent API consumer authentication verifies the identity of callers through API key and JWT authentication methods, precisely controls API access permissions, implements fine-grained control for multitenancy, ensures sensitive data isolation and compliant invocation, and effectively prevents unauthorized access and resource abuse.

    Overview

    • Security

      • Prevents unauthorized access: validates requester identities (e.g., API keys) to block unauthorized users/systems from accessing sensitive resources.

      • Mitigates malicious attacks: helps preventing malicious behaviors such as scraping attacks, API abuse, and DDoS attacks through authentication mechanisms.

    • Multi-tenant data isolation: assigns isolated access permissions to tenants in multi-tenant systems, ensuring each tenant accesses only their own data.

    • Usage control: combines authentication with rate limiting to enforce token-based quotas per consumer account.

    Scenarios

    • Multi-tenant systems: assign tenant-specific API permissions in open platforms for data isolation.

    • Open platforms: grant controlled API access to third-party developers while ensuring platform security and stability.

    • Internal system calls: validate service legitimacy in microservices architectures for AI API access.

    • Subscription-based accesses: restrict premium features or large language model (LLM) access based on user subscription tiers.

    Procedure

    Note

    After consumer authentication is enabled, you can configure a throttling rule based on token usage for each consumer account. When the preset resource usage is exceeded, throttling is automatically triggered.

    1. Log on to the AI Gateway console, and select the region where your instance is located.

    2. Go to the target instance page, and select Agent API from the left-side navigation pane to go to the target API page.

    3. Click the Consumer Authentication tab, click Edit on the right side of Configurations, and configure the following parameters:

      Important

      After consumer authentication is enabled, only authorized consumers can access the API.

      Status: Turn on or off the consumer authorization switch. It is turned off by default.

      Authentication Method: Currently, API Key and JWT are supported.

      • API Key: When a client accesses, the credential needs to be added to the request in a specified way. After the gateway receives the request, it verifies the legitimacy and permissions of the API key.

      • JWT: Used to securely transmit information in the form of JSON objects between clients and servers. The transmitted information can be verified and trusted because the JWT can be signed using the hash-based message authentication code (HMAC) algorithm or a public/private key pair of the Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) algorithm. You can use JWTs to authenticate users and perform access control.

    4. In the Consumers section, click Authorize and select a consumer. If no consumer exists, you can click Create Consumer to create one. Then click Add.