All Products
Document Center

API Gateway:Overview

Last Updated:Nov 26, 2021

This document describes how to call the APIs that you created and published in the API Gateway console by using code on your business system, such as a mobile app or an HTML page. This topic describes the following content: - Security authentication methods, use scenarios, and API calling methods by using code - API calling methods in different network environments - App authorization management by using an administrator account

1. Security authentication methods

  • No authentication

APIs can be called on clients without authentication. This method is not secure and is suitable only for temporary tests. This method is not recommended.

  • AppCode for simple authentication

This method is easy to use but is not secure. This method is suitable for scenarios where you make API calls between systems that are connected over an internal network. API Gateway checks whether the header or a query parameter in an API request from the client contains a valid AppCode for authentication. For more information, see Call an API operation by using an AppCode.

  • Digest authentication

This method is more secure and suitable for more scenarios than the AppCode-based authentication method. If you use this authentication method to call a published API, the client uses the allocated AppKey and AppSecret to calculate the signature for the requested content. Then, the client transmits the key pair and signature in an HTTP request to API Gateway for verification.

- API Gateway SDKs are integrated with the signature mechanism. You can use the SDKs for different languages to call APIs. For more information, see Use SDKs to call APIs.

- If you want to calculate a signature on the client, see Request signature.

  • JWT-based authentication

This method requires a JSON Web Token (JWT) authentication plug-in. This method provides the highest security and is suitable for scenarios that may cause security risks, such as JavaScript or web frontend development. For more information, see JWT authentication.

2. Network environments for API calls

Clients can initiate API requests over the Internet or a VPC. For more information about API calls over the Internet, see the "Security authentication methods" section.

For more information about API calls over a VPC, see the following topics:

3. Authorization management

If Security Certification is set to Alibaba Cloud APP when you create an API, you must authorize apps before they can call the API. You can create apps and then authorize them. You can also authorize the apps created by other users based on the app IDs. Apps are identities that you use to call APIs. Each app has a key pair that consists of an AppKey and an AppSecret. When you call an API in an app, the AppKey is specified as a header field in the request and the AppSecret is used to calculate a signature string that is attached to the request.

For more information, see Authorize an application to call an API operation.