All Products
Search

This Product

    API Gateway:Consumer authentication

    Document Center

    API Gateway:Consumer authentication

    Last Updated:Oct 13, 2025

    AI Gateway lets you configure consumer authentication for MCP services and MCP tools. This feature uses API key authentication to verify the identity of callers, precisely control API access permissions, implement fine-grained multitenancy management, ensure sensitive data isolation and compliant calls, and prevent unauthorized access and resource abuse. This topic describes how to configure consumer authentication.

    Configuration description

    • Consumer authentication is supported in the following scenarios:

      • Gateway-built HTTP-to-MCP conversion.

      • Direct proxy for gateway-built MCP services.

      • Nacos-hosted HTTP-to-MCP conversion.

      • Nacos-hosted proxy for MCP services.

    • Consumer authentication permissions for MCP services have a higher priority than those for MCP tools.

    Configure MCP service-level consumer authentication

    1. Go to the instance page of the AI Gateway console, select the region where the instance is located, and then click the target instance ID.

    2. In the navigation pane on the left, click MCP Management. Then, click the card for the target service and click the Consumer Authentication tab.

    3. Click Edit next to Configuration Information. In the MCP Service Consumer Authentication dialog box that appears, turn on Enable Status and click OK.

      Important

      • After you enable consumer authentication, you cannot access the API if no authorization is configured.

      • Currently, only API Key authentication is supported.

        An API key provides a simple authentication method. When a client sends a request, the credential must be added to the request in the specified format. After the gateway receives the request, it verifies the validity and permissions of the API key. API keys are typically used in simple scenarios that do not involve sensitive operations. They offer lower security than JSON Web Tokens (JWT) or AccessKey pairs (AK/SK). Manage and protect your credentials with caution.

    4. On the MCP tab, click Grant. In the Add Consumer Authorization panel, select a consumer and then click Add.

      Note

      If no consumer is available, you can click the input box next to Consumer and select Create Consumer from the drop-down list to create one.

    Configure MCP tool-level consumer authentication

    1. Go to the instance page of the AI Gateway console, select the region where the instance is located, and then click the target instance ID.

    2. In the navigation pane on the left, click MCP Management. Then, click the card for the target service and click the Consumer Authentication tab.

    3. Click Edit next to Configuration Information. In the MCP Service Consumer Authentication dialog box that appears, turn on Enable Status and click OK.

      Important

      • After you enable consumer authentication, you cannot access the API if no authorization is configured.

      • Currently, only API Key authentication is supported.

        An API key provides a simple authentication method. When a client sends a request, the credential must be added to the request in the specified format. After the gateway receives the request, it verifies the validity and permissions of the API key. API keys are typically used in simple scenarios that do not involve sensitive operations. They offer lower security than JSON Web Tokens (JWT) or AccessKey pairs (AK/SK). Manage and protect your credentials with caution.

    4. Click MCP Tool. On the MCP Tool tab, click Grant. In the Add Consumer Authorization panel, select a consumer and a tool, and then click Add.

      Note

      If no consumer is available, you can click the input box next to Consumer and select Create Consumer from the drop-down list to create one.