All Products
Search
Document Center

Function Compute:Configure Bearer authentication for a custom domain

Last Updated:Apr 08, 2026

When you expose a function through a custom domain, anyone who knows the URL can invoke it. Bearer authentication secures access by requiring clients to include a valid token in every request.

How it works

  1. A client sends a request to your custom domain with an Authorization: Bearer <token> header.

  2. Function Compute validates the token against the tokens configured for that domain.

  3. If the token matches, Function Compute forwards the request to the function.

  4. If the token is missing or invalid, Function Compute returns an error.

Prerequisites

Before you begin, ensure that you have:

Security considerations

Warning

Always use HTTPS in production environments. HTTP transmits tokens in plaintext, which exposes them to interception. Function Compute is not responsible for security risks caused by token leakage over HTTP. Use HTTP only for development and testing.

Important

Function Compute stores and verifies your tokens, but you are responsible for generating them and managing their lifecycle. Rotate tokens regularly, and immediately rotate any token that may have been exposed.

Limitations

  • Each token must be unique—both within a single custom domain and across all custom domain names.

  • Avoid simple or predictable token values, which are more susceptible to guessing attacks.

  • Each token must be 32–128 characters long and can contain only: A-Z, a-z, 0-9, +, /, =, -, ~, .. A token cannot start with a number or a hyphen (-).

  • Each custom domain supports 1–20 tokens.

Configure Bearer authentication

  1. Log on to the Function Compute console. In the left-side navigation pane, choose Function Management > Custom Domain Name.

  2. In the top navigation bar, select a region. In the domain name list, find the domain you want to manage and click Modify in the Actions column.

  3. On the Modify Custom Domain Name page, expand Authentication Settings. Set Authentication Method to Bearer Authentication, enter the Authentication Token, and then click Save.

    The Authentication Token must be a JSON object with a tokens array. Each token object has the following fields:

    Field

    Type

    Description

    tokenName

    String

    A unique name to identify the token

    tokenData

    String

    The token value. Must meet the character and length requirements listed in Limitations

    enable

    Boolean

    Set to true to activate the token. Set to false to disable it without deleting it

    The following example configures two tokens:

    {
        "tokens": [
            {
                "tokenName": "tokenName-7jd",
                "enable": true,
                "tokenData": "token-dfi34ij25gd1ed6ec80g35****"
            },
            {
                "tokenName": "tokenName-20i",
                "enable": true,
                "tokenData": "token-8g7f2a2c9fc23hid82593****"
            }
        ]
    }

    To configure a single token, include only one object in the tokens array.

Verify the configuration

Use cURL to send a request with the Authorization: Bearer <token> header:

curl --data your-data -X access-method -H "Authorization: Bearer <token>" https://<your-custom-domain>

Replace <token> with the tokenData value of an enabled token, and <your-custom-domain> with your actual domain name.

Example:

curl -X POST -H "Authorization: Bearer token-dfi34ij25gd1ed6ec80g35****" https://example.com

A successful request returns the function's response. If you receive an error, see Troubleshooting.

Troubleshooting

Authorization header is expected but missing

The request did not include an Authorization header. Add Authorization: Bearer <token> to your request headers.

access denied due to invalid bearer token

The token in the request does not match any enabled token configured for the domain. Verify that the token matches the value of the tokenData field in the Authentication Token that you configured in Configure Bearer authentication.

Billing

Bearer authentication does not incur additional charges. Gateway feature costs are included in function invocation billing.