Authorization management
API authorization establishes a relationship between an application and an API. An application is the identity used to call an API and must be authorized to call that API.
Prerequisites
The API authentication method is set to Alibaba Cloud App authentication.
Apps
An application is the identity used to call an API. By default, each application has a key pair that consists of an AppKey and an AppSecret. The AppKey must be passed as a parameter in the request header, and the AppSecret is used to calculate the request signature. For more information about how to calculate and pass the signature, see Use digest authentication to call an API.
-
The AppKey and AppSecret key pair grants full permissions to the application. Store it securely. If the key pair is compromised, you can reset it in the API Gateway console.
-
You can create multiple applications and authorize them to call different APIs based on your business needs. Note that APIs are authorized for applications, not for an Alibaba Cloud account.
-
In the API Gateway console, you can create, modify, and delete applications, view details, manage keys, and view authorized APIs.
-
You can add new AppKey and AppSecret pairs to an application from its details page. The new key pair has all the permissions of the application and can be deleted. The default key pair that is generated when you create the application cannot be deleted.
Create an app
-
Log on to the API Gateway console. In the left-side navigation pane, choose , and then click Create App in the upper-right corner.
-
On the Create App page, enter an App Name and click Create.
When you create an application, you can optionally set tags, provide custom AK information, and configure an extension field.
-
Tag settings: Use tags to organize your applications.
-
Custom AK information: Allows you to define a custom AppKey and AppCode when you create an application. You can also modify the AppKey and AppCode of an application in production. The changes take effect immediately.
-
Extension field: Allows you to configure an extension field for the application. API Gateway passes this field to the backend service as the
CaAppExtInfosystem parameter.ImportantFor a dedicated instance purchased before August 2023, if the extension field does not take effect, submit a ticket to upgrade your instance version.
Disable an app
-
Log on to the API Gateway console. In the left-side navigation pane, choose .
-
Click the target application to go to the Application Details page. Then, click Disable App Authentication in the upper-right corner.
NoteOnce disabled, an application can no longer call its authorized APIs. You can re-enable the application at any time to resume calling the APIs.
ImportantFor a dedicated instance purchased before July 2025, if this feature does not work, submit a ticket to upgrade your instance version.
API authorization
Authorization is the process of granting an application permission to call an API. An application must be authorized before it can call an API.
-
You can directly authorize your own applications to call your APIs.
-
You can authorize your applications to call the APIs that you purchased from Alibaba Cloud Marketplace. If you do not have an application, Alibaba Cloud Marketplace creates one for you and authorizes it during the purchase. For more information, go to the Alibaba Cloud Marketplace console.
-
To use a partner's API (from another Alibaba Cloud account) through an offline agreement, create an application and provide its application ID to the partner. The partner can then authorize your application by searching for its ID.
Procedure
-
Log on to the API Gateway console. In the left-side navigation pane, choose , find the target API, and in the Actions column, click
> Authorize. -
On the authorization page, select a stage and an Authorization validity period, and then select the application to authorize under Choose apps for authorization. To authorize an application in your account, select My apps and click Search to load all applications under your account.
To authorize an application from another account, select App ID, enter the corresponding application ID in the text box, and then click Search.
ImportantFor a dedicated instance purchased before November 2023, if a newly added key pair does not take effect, submit a ticket to upgrade your instance version. The default key pair that is generated when you create the application is not affected by the instance version.