API Gateway supports multiple API authentication methods, including simple authentication (AppCode), digest authentication, and JSON Web Token (JWT)-based authentication. You can also manage authorizations to control which applications can call specific APIs.
Call an API using simple authentication (AppCode)
With AppCode-based simple authentication, clients authenticate requests by passing an AppCode. Key points:
-
Precautions: Make sure that HTTPS communication is used between the client and API Gateway. Do not transmit data over HTTP.
-
Steps to call an API in simple authentication mode.
Use digest authentication to call an API
To call a published API that uses digest authentication (AppKey and AppSecret), clients must calculate a signature for the request content and send it to the server for verification. Key points:
-
Introduction to the digest authentication method.
-
Validates requests from clients to ensure they contain the correct signature generated based on the authorized AppKey.
-
Prevents requests from being tampered with during transmission.
-
-
Steps to use an SDK to make an API call. For more information, see Use SDKs to call APIs.
-
Working principle of the digest authentication method.
Use this authentication method if you want API callers to calculate the request signature on the client side.
JWT-based token authentication
API Gateway supports JWT-based authorized access to your APIs, allowing you to customize security settings. Key points:
-
Workflow of API Gateway using the JWT authentication plug-in to implement authentication.
-
JWT
-
Introduction.
-
Authorization scope and validity period.
-
JWT characteristics.
-
-
Methods to use a JWT authentication plug-in to protect APIs.
-
Sample code to issue a token.
-
Error codes.
Authorization management
Authorizations define the relationship between applications and APIs. Only authorized applications can call the corresponding APIs. Key concepts:
-
Application: An identity used to call an API.
-
Authorization: Applications must be authorized before they can call an API.