When you expose a function through a custom domain, anyone who knows the URL can invoke it. Bearer authentication secures access by requiring clients to include a valid token in every request.
How it works
A client sends a request to your custom domain with an
Authorization: Bearer <token>header.Function Compute validates the token against the tokens configured for that domain.
If the token matches, Function Compute forwards the request to the function.
If the token is missing or invalid, Function Compute returns an error.
Prerequisites
Before you begin, ensure that you have:
Attached a custom domain name to the function
Security considerations
Always use HTTPS in production environments. HTTP transmits tokens in plaintext, which exposes them to interception. Function Compute is not responsible for security risks caused by token leakage over HTTP. Use HTTP only for development and testing.
Function Compute stores and verifies your tokens, but you are responsible for generating them and managing their lifecycle. Rotate tokens regularly, and immediately rotate any token that may have been exposed.
Limitations
Each token must be unique—both within a single custom domain and across all custom domain names.
Avoid simple or predictable token values, which are more susceptible to guessing attacks.
Each token must be 32–128 characters long and can contain only:
A-Z,a-z,0-9,+,/,=,-,~,.. A token cannot start with a number or a hyphen (-).Each custom domain supports 1–20 tokens.
Configure Bearer authentication
Log on to the Function Compute console. In the left-side navigation pane, choose Function Management > Custom Domain Name.
In the top navigation bar, select a region. In the domain name list, find the domain you want to manage and click Modify in the Actions column.
On the Modify Custom Domain Name page, expand Authentication Settings. Set Authentication Method to Bearer Authentication, enter the Authentication Token, and then click Save.
The Authentication Token must be a JSON object with a
tokensarray. Each token object has the following fields:Field
Type
Description
tokenNameString
A unique name to identify the token
tokenDataString
The token value. Must meet the character and length requirements listed in Limitations
enableBoolean
Set to
trueto activate the token. Set tofalseto disable it without deleting itThe following example configures two tokens:
{ "tokens": [ { "tokenName": "tokenName-7jd", "enable": true, "tokenData": "token-dfi34ij25gd1ed6ec80g35****" }, { "tokenName": "tokenName-20i", "enable": true, "tokenData": "token-8g7f2a2c9fc23hid82593****" } ] }To configure a single token, include only one object in the
tokensarray.
Verify the configuration
Use cURL to send a request with the Authorization: Bearer <token> header:
curl --data your-data -X access-method -H "Authorization: Bearer <token>" https://<your-custom-domain>Replace <token> with the tokenData value of an enabled token, and <your-custom-domain> with your actual domain name.
Example:
curl -X POST -H "Authorization: Bearer token-dfi34ij25gd1ed6ec80g35****" https://example.comA successful request returns the function's response. If you receive an error, see Troubleshooting.
Troubleshooting
Authorization header is expected but missing
The request did not include an Authorization header. Add Authorization: Bearer <token> to your request headers.
access denied due to invalid bearer token
The token in the request does not match any enabled token configured for the domain. Verify that the token matches the value of the tokenData field in the Authentication Token that you configured in Configure Bearer authentication.
Billing
Bearer authentication does not incur additional charges. Gateway feature costs are included in function invocation billing.