All Products
Search

This Product

    API Gateway:Consumer authentication

    Document Center

    API Gateway:Consumer authentication

    Last Updated:Dec 04, 2025

    Consumer authentication for a model API verifies the identity of a caller using an API key. This feature provides precise control over API access permissions, enables fine-grained management for multitenancy, isolates sensitive data, ensures call compliance, and prevents unauthorized access and resource abuse.

    Policy description

    • Security:

      • Prevents unauthorized access: Consumer authentication validates the identity of the requester, such as using an API key, to effectively prevent unauthorized users or systems from accessing sensitive resources.

      • Prevents malicious attacks: The authentication mechanism helps prevent malicious behaviors such as web scraping, API abuse, and DDoS attacks.

    • Multi-tenant data isolation: In a multitenancy environment, you can use consumer authentication to assign independent access permissions to different tenants. This ensures that each tenant can access only their own data.

    • Usage control: By combining the authentication mechanism with a throttling policy, you can configure a throttling rule for each consumer account based on token consumption to ensure that usage is within the quota.

    Scenarios

    • Multi-tenant systems: In an open platform, you can assign independent API access permissions to different tenants to ensure data isolation and security.

    • Open platforms: You can provide third-party developers with controlled API access permissions to ensure the security and stability of the platform.

    • Internal system calls: In a microservices model, you can ensure that only authorized services can call specific AI interfaces.

    • Paid service management: You can control access to advanced features or large models based on a user's subscription level or permissions.

    Procedure

    Note

    After you enable consumer authentication, you can configure a throttling rule for each consumer account based on token consumption. When resource usage exceeds the predefined limit, throttling is automatically triggered.

    1. Log on to the AI Gateway console and choose Instance. In the top menu bar, select a region, then click the target instance ID.

    2. In the navigation pane on the left, choose Model API, then click the target API name to go to the API Details page.

    3. Click the Consumer Authentication tab, and then click Edit to the right of Configurations. In the API-level Consumer Authentication dialog box, turn on the Status switch, select an Authentication Method, and click OK.

      Important

      After consumer authentication is enabled, a consumer cannot access the API without authorization.

      Configuration item

      Description

      Status

      Enables or disables the consumer authorization switch. This feature is disabled by default.

      Authentication Method

      The following authentication methods are supported for consumer authorization: API Key and JWT.

      • An API key is a simple authentication method. When a client sends a request, the client must add the credential to the request in a specified manner. After the gateway receives the request, it verifies the validity and permissions of the API key.

      • JSON Web Token (JWT) is used to securely transmit information as a JSON object between a client and a server. The information can be verified and trusted because the JWT is signed with a public key or a private key of HMAC, RSA, or ECDSA. JWT authentication can be used to verify identities and control access in the gateway.

    4. Click Authorize, select a consumer, and click Add.

      If no consumer exists, you can click the drop-down list next to Consumers and select Create Consumer.