All Products
Document Center


Last Updated: Nov 08, 2017

You must create an app as your identity to call an API. Each app has a key pair consisting of an AppKey and AppSecret. These are used as the encrypted signature in your request and is verified by the gateway verifies.

  • In API Gateway, create an app as your requester identity. During app creation, the system automatically assigns an AppKey and AppSecret. The AppKey indicates your identity. The AppSecret is the key used to encrypt the signature string and to verify the signature string on the server. When calling an API, you must include the AppKey and AppSecret into the request. API Gateway verifies your identity through symmetric encryption. For more information about the methods of calculating and passing the encrypted signature, see Portal and Protocol.

  • The AppKey and AppSecret have all of the permissions on the app, and therefore, must be kept secure. If any of the keys are released, you must reset them on the API Gateway console.

  • You can own multiple apps, to which different APIs are assigned based on your service requirements. Note that the API authorization is specific to an app, but not the Alibaba Cloud user account.

  • On the API Gateway console, you can manage apps, view details, manage keys, and view authorized apps.