All Products
Search
Document Center

API Gateway:API authentication

Last Updated:Jun 17, 2026

API Gateway supports multiple API authentication methods, including simple authentication (AppCode), digest authentication, and JSON Web Token (JWT)-based authentication. You can also manage authorizations to control which applications can call specific APIs.

Call an API using simple authentication (AppCode)

With AppCode-based simple authentication, clients authenticate requests by passing an AppCode. Key points:

  • Precautions: Make sure that HTTPS communication is used between the client and API Gateway. Do not transmit data over HTTP.

  • Steps to call an API in simple authentication mode.

Use digest authentication to call an API

To call a published API that uses digest authentication (AppKey and AppSecret), clients must calculate a signature for the request content and send it to the server for verification. Key points:

  • Introduction to the digest authentication method.

    • Validates requests from clients to ensure they contain the correct signature generated based on the authorized AppKey.

    • Prevents requests from being tampered with during transmission.

  • Steps to use an SDK to make an API call. For more information, see Use SDKs to call APIs.

  • Working principle of the digest authentication method.

Use this authentication method if you want API callers to calculate the request signature on the client side.

JWT-based token authentication

API Gateway supports JWT-based authorized access to your APIs, allowing you to customize security settings. Key points:

  • Workflow of API Gateway using the JWT authentication plug-in to implement authentication.

  • JWT

    • Introduction.

    • Authorization scope and validity period.

    • JWT characteristics.

  • Methods to use a JWT authentication plug-in to protect APIs.

  • Sample code to issue a token.

  • Error codes.

Authorization management

Authorizations define the relationship between applications and APIs. Only authorized applications can call the corresponding APIs. Key concepts:

  • Application: An identity used to call an API.

  • Authorization: Applications must be authorized before they can call an API.