All Products
Document Center

Call API Products

Last Updated: Dec 29, 2020

This topic describes how to call the operations of an API product after you purchase the API product in Alibaba Cloud Marketplace.

Authentication Modes of API Operations

Before you call an operation of an API product, you must understand the authentication modes for API calls. API products in Alibaba Cloud Marketplace support two authentication modes. Both the modes are available. You can use one of them based on your actual needs.

  • Simple mode based on AppCode

-Scenarios: The client environment where you call an API product is secure and controllable. For example, your client application resides in an internal network.

-Technical Principles: To perform identity authentication, a client application adds the AppCode to the request header or as a query parameter of an API request.

-Benefits: The simple mode is easy to implement and does not require complex signature calculation. You can use various development languages to implement this authentication mode. API products also provide sample code in multiple languages for you to use.

-Shortcomings: The simple mode does not provide high security. AppCodes are transmitted as plain text in HTTP requests on the network. As a result, AppCodes may be leaked.

-Suggestions: To reduce the risk of leakage during transmission, we recommend that you use HTTPS requests for API calls.

  • Encrypted Mode

-Scenarios: The encrypted mode is more secure than the simple mode.

-Technical Principles: A client application uses a hashing algorithm and the specified AppSecret to encrypt the required information to obtain the signature string. In general, the HMAC-SHA-256 hashing algorithm is used. For more information, see Request signature. When you call an API operation, the signature string and the specified AppKey are added to the request header for identity authentication.

-Benefits: The encrypted mode is highly secure. A unique signature string is generated for each API call to prevent data tampering.

-Shortcomings: Signature calculation is complex. We recommend that you use SDKs or code repositories to call API operations.

-Suggestions: We recommend that you use this mode because it is a mainstream authentication mode for API calls and provides high security.

View the Authentication Information for API Calls

After you purchase an API product, API Gateway generates the authentication information for you to call API operations. You can use one of the following two methods to view the authentication information.

  • Use the Alibaba Cloud Marketplace Console

Log on to the Alibaba Cloud Marketplace Console. On the Mysoftware subscription page, you can view the information about all thepurchased API products. In the following figure, the AppKey, AppSecret, and AppCode are framed in red.

1_Marketplace Console
  • Use the API Gateway Console

1. Log on to the API Gateway Console.

2. In the left-side navigation pane, choose Consume APIs > APPs and find the application that is created for the API product that you purchase.

2_AP1 Gateway Console

3. Click the name of the required application to go to the details page of the application, where you can find the AppKey, AppSecret, and AppCode. The authentication information is the same as that in the Alibaba Cloud Marketplace console.

The API products that you purchase may be published in different regions. Therefore, you can search applications by region.


Perform Identity Authentication in Simple Mode Based on AppCode

The following two methods are supported:

  • Add the AppCode to there quest header

Add the Authorization parameter to the header of an API request. The value of the Authorization parameter must be in the following format: APPCODE + Space + AppCode value.


Authorization: APPCODE AppCode value


Authorization: APPCODE3F2504E04F8911D39A0C0305E82C3301

  • Add the AppCode as a query parameter

Add the AppCode as a query parameter of an API request. The name of the parameter can be appcode, appCode, APPCODE, or APPCode. The value of the parameter is the value of the AppCode.

http://Domain of your APIproduct?AppCode=3F2504E04F8911D39A0C0305E82C3301

Perform Identity Authentication in Encrypted Mode

Signature calculation is complex. For more information, see Request Signature. We recommend that you use the SDK that is generated by API Gateway.

1. Log on to the API Gateway Console.

2. In the left-side navigation pane, choose Consume APIs > Authorized APIs SDK.

3. Find the required SDK in the application list.

If no SDK is provided in your desired language, you can reference the sample code in other languages.

4_API Gateway Console