This topic provides answers to some frequently asked questions (FAQ) about API security of API Gateway.
API security issues
API security
How do I ensure AppKey security for mobile terminals?
An AppKey is the identity that you use to call an API. AppKeys are highly sensitive and must be kept properly. If they are leaked, you must change them in the API Gateway console at your earliest opportunity.
How do I ensure security for a call from API Gateway to the backend server?
You can configure a security key in API Gateway or use HTTPS to encrypt requests.
Use a security key:
You can set a key for each API. After you set the key, API Gateway signs the request based on a specified method. For more information, see Backend signature plug-ins.
In this case, you must use the same method to verify the signature to ensure that the request is authentic and valid.
Use HTTPS:
Before you use HTTPS to encrypt requests, make sure that you have obtained the required Secure Sockets Layer (SSL) certificate.
Do I need to republish an API after I change the backend key for it?
No. You only need to create the new key and bind it to the API in the console.
How do I replace a backend key without interrupting services?
First of all, you must make sure that more than one server is running your backend service. Then, you can perform the following steps:
Upgrade your backend service to make it support both the old and new keys.
Modify your backend key in your gateway instance.
Edit your backend service to remove support for the old key.
How do I open an API to a specific user?
You can configure access permissions for the API in the API Gateway console.