Cloud-native API Gateway enables authentication for routes and APIs by using consumers. This topic describes how to manage consumers in the Cloud-native API Gateway console.
Create a consumer
Cloud-native API Gateway provides three authentication methods.
Configuration method | Description | Applicable scenarios |
API Key | The client must add credentials to requests in a specified manner, and the gateway verifies the legitimacy and permissions. This method is suitable for non-sensitive operation scenarios. It provides lower security than JWT and AK/SK authentication. You need to pay attention to credential management and protection. | Suitable for lightweight, quick integration scenarios and scenarios with lower security requirements. |
JWT | JSON Web Token (JWT) is a standard for securely transmitting information between clients and servers. It uses HMAC, RSA, or ECDSA signatures to ensure that information is verifiable and trustworthy. JWT authentication can implement authentication and access control in gateways. | Suitable for distributed systems and single sign-on (SSO) scenarios. |
HMAC | The AK/SK signature authentication method based on the HMAC algorithm requires the client to calculate a signature for the request content by using a signature key when calling an API, and send the signature to the server for verification. | Suitable for scenarios with high requirements for data integrity and tamper-proofing. |
Create a consumer based on API key authentication
Go to the Consumer page in the Cloud-native API Gateway console and select the region where you want to create a consumer.
Click Create Consumer. In the Create Consumer panel, configure Consumer Name, select API Key as the authentication method, and complete the following configurations:
Generation Method:
System Generated: The system automatically generates an API key credential.
Custom: You need to specify an API key credential and the credential source.
Credential (not required if System Generated is selected): Customize the API key credential.
Credential Source:
Tells the gateway where to extract the API key from the request. Sources include the following:
Authorization: Bearer <token> (standard token format)
Custom HTTP Header (such as
X-API-Key: your-key)Custom Query Parameters (such as
?apikey=your-key)
Create a consumer based on JWT authentication
Go to the Consumer page in the Cloud-native API Gateway console and select the region where you want to create a consumer.
Click Create Consumer. In the Create Consumer panel, configure Consumer Name, select JWT as the authentication method, and complete the following configurations:
Creation Method:
Local Configuration is suitable for scenarios where the authentication service and gateway are in the same cluster or local area network, with high performance requirements and infrequent key changes.
Remote Fetch is suitable for scenarios using a unified identity center (such as OAuth2, OpenID Connect) to issue JWTs, supporting dynamic key updates, and suitable for multi-tenant or production environments.
Key Type (not required if Remote Fetch is selected):
Symmetric Key: A default JWKS is generated. The JWKS varies based on the consumer. The default JWKS contains a key that is used to encrypt or decrypt a token.
Asymmetric Key: You must enter the complete JWKS configuration. A token is encrypted by using a private key. The gateway performs decryption based on the public key in JWKS.
JWKS:
When Local Configuration is selected, set the JWKS configuration. For more information about JWKS specifications, see JSON Web Key (JWK).
When Remote Fetch is selected, set the URL. The system automatically parses and reads the information, including port number, timeout, and cache time.
ImportantThe URL must be a domain name, not an IP address.
JWT Token: Configure the JWT token information.
Type: the type of the token. Default value: HEADER.
Key: the name of the token.
Prefix: the prefix of the token. Configure the required parameters to validate the token. By default, the token contains the Bearer prefix and is stored in the Authorization Header. Example: Authorization: Bearer token.
Enable Passthrough: If you select this option, the token is transparently passed to the backend service.
Consumer Identity in JWT Payload: The key and value in the JWT payload that are used to identify the consumer. By default, the key is uid, and the value is a random string. You can modify the value based on your business requirements. The following code is an example of the payload in the JWT token:
{ "uid": "11215ac069234abcb8944232b79ae711" }
Create a consumer based on HMAC authentication
Go to the Consumer page in the Cloud-native API Gateway console and select the region where you want to create a consumer.
Click Create Consumer. In the Create Consumer panel, configure Consumer Name, select HMAC as the authentication method, and complete the following configurations:
System Generated: The system automatically generates an AccessKey pair.
Custom: You need to specify an AccessKey pair.
Disable a consumer
Log on to the API Gateway console.
In the left-side navigation pane, click Consumers. In the top navigation bar, select a region.
On the Consumer list page, click Disable in the Actions column of the target consumer. In the confirmation dialog box, click OK.
Delete a consumer
Log on to the API Gateway console.
In the left-side navigation pane, click Consumers. In the top navigation bar, select a region.
On the Consumer list page, click Delete in the Actions column of the target consumer. In the confirmation dialog box, enter the current consumer name, and then click Delete.