Bearer authentication uses a token in an HTTP request header to verify identity. This method is ideal for scenarios that require secure access, such as APIs and microservices. After you attach a custom domain name to a function, you can configure a token for Bearer authentication. When a client makes a request, it must include a valid token in the request header. The client can access the function only if the request token matches the configured token for the custom domain name.
Notes
Use the HTTPS protocol in production environments when you configure Bearer authentication. The HTTP protocol is for development and testing only. Function Compute (FC) is not responsible for security risks that result from token leakage over the HTTP protocol.
Function Compute only stores and verifies the token information that you configure. You are responsible for generating tokens and managing their lifecycle. Rotate your tokens regularly to ensure system security. This is especially important if a token is exposed or poses a security risk.
Limits
Each token must be unique, both for a single custom domain name and across different custom domain names. Avoid using common patterns or simple combinations as token values. This helps prevent security issues.
Each token must be 32 to 128 characters long. It can contain only the following characters: 'A-Z', 'a-z', '0-9', '+', '/', '=', '-', '~', and '.'. A token cannot start with a number or a hyphen (-).
You can configure 1 to 20 tokens for each custom domain name.
Prerequisites
You have created a function and attached a custom domain name to it.
Procedure
Step 1: Configure Bearer authentication
Log on to the Function Compute console. In the left-side navigation pane, choose .
In the top navigation bar, select a region. In the domain name list, find the domain name that you want to manage and click Modify in the Actions column.
On the Edit Custom Domain Name page, expand Authentication Settings. Set Authentication Method to Bearer Authentication, enter the Authentication Token, and then click Save.
The following example shows the required format for the Authentication Token:
{ "tokens": [ { "tokenName": "tokenName-7jd", "enable": true, "tokenData": "token-dfi34ij25gd1ed6ec80g35****" }, { "enable": true, "tokenData": "token-8g7f2a2c9fc23hid82593****", "tokenName": "tokenName-20i" } ] }The example shows how to configure multiple tokens. To configure only one token, include only one token object.
Ensure that each token is unique.
To disable a token, set the corresponding
enablefield tofalse.
Step 2: Verify the configuration
This topic uses cURL as an example to show how to send an HTTP request with an `Authorization: Bearer <token>` header. The command is structured as follows:
curl --data your-data -X access-method -H "Authorization: Bearer <token>" https://<your-custom-domain>Example:
curl -X POST -H "Authorization: Bearer token-dfi34ij25gd1ed6ec80g35****" example.comFAQ
Why do I see the message Authorization header is expected but missing when accessing an endpoint after enabling Bearer authentication?
This message indicates that the client did not include the Authorization header when accessing the function using a custom domain name. Add Authorization: Bearer <token> to the request.
Why do I receive the access denied due to invalid bearer token error when accessing an endpoint after enabling Bearer authentication?
This error indicates that the client provided an invalid token when accessing the function through a custom domain name. Verify that the token is correct. The token must match the value of the tokenData field in the Authentication Token that you configured in Step 1: Configure Bearer authentication.
Does enabling Bearer authentication incur extra fees?
No, it does not. The fees for gateway-related features in Function Compute are included in the billing for function invocations. Therefore, enabling Bearer authentication does not incur extra fees.