All Products
Search

This Product

    API Gateway:API authentication

    Document Center

    API Gateway:API authentication

    Last Updated:Jan 17, 2025

    This topic describes the API authentication methods supported by API Gateway, including simple authentication (AppCode), digest authentication, and JSON Web Token (JWT)-based authentication. This topic also describes how to manage authorizations to ensure the security and flexibility of API calls.

    Call an API in simple authentication mode

    API Gateway provides the AppCode-based simple authentication method for client requests. Specifically:

    • Precautions: Make sure that HTTPS communication is used between the client and API Gateway. Do not transmit data over HTTP.

    • Steps to call an API in simple authentication mode.

    Use digest authentication to call an API

    To call a published API that uses the digest authentication method (AppKey and AppSecret), clients must use a signature key pair to calculate the signature for the requested content, and then send the signature to the server side for verification. Specifically:

    • Introduction to the digest authentication method.

      • Checks the validity of requests that are received from clients to ensure that the requests contain the correct signature that is generated based on the authorized AppKey.

      • Prevents requests from being tampered with during transmission.

    • Steps to use an SDK to make an API call. For more information, see Use SDKs to call APIs.

    • Working principle of the digest authentication method.

    If you want API callers to calculate the signature for requests on a client on their own, you can use this authentication method.

    JWT-based authentication

    API Gateway provides a mechanism for authorized access to your APIs based on a JWT. You can use this mechanism to customize security settings. Specifically:

    • Workflow of API Gateway using the JWT authentication plug-in to implement authentication.

    • JWT

      • Introduction.

      • Authorization scope and validity period.

      • JWT characteristics.

    • Methods to use a JWT authentication plug-in to protect APIs.

    • Sample code to issue a token.

    • Error codes.

    Manage authorizations

    Authorizations refer to the authorization relationship between applications and APIs. Only authorized applications can call the corresponding APIs. Specifically:

    • Application: An application is an identity that is used to call an API.

    • Authorization: Applications must be authorized before they can be used to call an API.