An app indicates the identity of the requester. Each app has an AppKey and AppSecret which are used for calculating the encrypted signature. The gateway verifies the identity of the requester.
Whether you or your customers attempt to test or call an API, an app needs to be created as the identity of the requester, and permission needs to be authenticated to the app. The authorization operation is as follows:
- Obtain the AppID of the app to be authorized or the Alibaba Mail account of the app owner.
- On the authorization operation page, select one or more APIs for which call permissions are to be made available, and click Test/Production.
- Use the AppID or Alibaba Mail account to search the app.
- Confirm the authorization.
Now, you have created and enabled an API which can be called by your customer. When a request arrives at the gateway, the gateway verifies the app’s identity and permissions. You can configure security protection for your API, for example, configuring a throttling policy to limit the access traffic. The gateway also supports a signature of the backend services. You can set a signature key for authentication when the gateway sends requests to your backend.