All Products
Document Center

Function Compute:Overview

Last Updated:Feb 02, 2024

An HTTP trigger allows you to invoke a function by using an HTTP request. HTTP triggers can be used in scenarios such as fast construction of web services. This topic describes the usage notes, benefits, invocation methods, supported protocols, authentication methods, cross-origin resource sharing (CORS) request processing, limits, and handler functions of HTTP triggers.

Usage notes

If you set the Authentication parameter to No when you configure an HTTP trigger for a function, the HTTP trigger is anonymous. In this case, every user can invoke the function by sending an HTTP request. This may cause the URL of the HTTP trigger to be leaked. To prevent URL leakage, you can use the Authorization request header to check the validity of a request. For more information, see Signature authentication.


Limits on triggers

For each version or alias of a function, you can create only one HTTP trigger. For more information, see Manage versions and Manage aliases.

Limits on HTTP

  • HTTP request limits

    • You cannot use a custom request header that starts with x-fc- or the following custom request headers:

      • connection

      • keep-alive

    • Function Compute returns the 400 status code and InvalidArgument error code if a request exceeds one of the following limits:

      • Header size: The total size of all keys and values in headers cannot exceed 8 KB.

      • Path size: The total size of the path, including all query parameters, cannot exceed 4 KB.

      • Body size: The total size of the body of a synchronous invocation request cannot exceed 32 MB. The total size of the body of an asynchronous invocation request cannot exceed 128 KB.

  • HTTP response limits

    • You cannot use a custom response header that starts with x-fc- or the following custom response headers:

      • connection

      • content-length

      • date

      • keep-alive

      • server

      • upgrade

      • content-disposition:attachment


        For security reasons, if you use the default domain name of Function Compute, the server forcibly adds the content-disposition: attachment response header. The response header is used to download the returned results from the browser as an attachment. To remove the limit, you must configure a custom domain name. For more information, see Specify a custom domain name.

    • If a response exceeds the following limit, Function Compute returns the 502 status code and the BadResponse error code:

      • Header size: The total size of all keys and values in headers cannot exceed 8 KB.

  • Others

    You can bind custom domain names to map different HTTP paths for HTTP functions. For more information, see Specify a custom domain name. You can also set the backend service type to HTTP and specify the HTTP function path as the backend service address in API Gateway to implement similar features. For more information, see Function Compute.


You can use HTTP triggers and API Gateway triggers to create web applications. Compared with API Gateway triggers, HTTP triggers provide the following benefits:

  • Allow developers to learn and use with ease, simplify debugging, and help developers quickly build web applications and APIs by using Function Compute.

  • Help optimize request processing. HTTP triggers support more efficient request and response formats. You do not need to encode or decode requests into the JSON format. This helps deliver better performance.

  • Allow you to use HTTP test tools with which you are familiar to test the features and performance of Function Compute.

  • Allow you to easily connect to other services that support webhooks, such as Alibaba Cloud CDN and Message Service (MNS).

Invocation methods

Functions can be invoked in synchronous and asynchronous modes. During a synchronous invocation, the result is returned after an event is processed by a function. During an asynchronous invocation, Function Compute persists the request and immediately returns a response without waiting for the execution of the request to complete.

Synchronous invocations

By default, an HTTP trigger invokes a function in synchronous mode. For more information, see Synchronous invocations.

Asynchronous invocations

You can use an HTTP trigger to invoke a function in asynchronous mode at the request level by adding the "X-Fc-Invocation-Type":"Async" request header. For more information about request headers, see InvokeFunction.

If an asynchronous invocation is successful, Function Compute returns the 202 status code, which indicates that the request is received. In addition, Function Compute returns the request ID by using a request header. The format of the ID is "X-Fc-Request-Id": "80bf7****281713e1".


If the status code returned from Function Compute is not 202, the asynchronous invocation fails. For information about the causes of invocation failures, see Error handling.

In specific scenarios, after you submit an asynchronous invocation request, you may want Function Compute to defer the invocation. To achieve this, you can add the x-fc-async-delay HTTP request header to the code. The value range of the header is 0 to 3600, in seconds. Function Compute invokes the function after the period specified by x-fc-async-delay elapses. For more information, see the "Deferred invocation of a function" section of the Overview topic.


  • For more information about asynchronous invocations, see Overview.

Supported protocols


You can use the following methods to trigger functions: GET, POST, PUT, DELETE, HEAD, PATCH, and OPTIONS. The HTTP and HTTPS protocols are suitable for simple request-response scenarios. For more information, see Configure an HTTP trigger for a function and invoke the function by using HTTP requests.


You can configure authentication policies for HTTP triggers. After you configure an authentication policy for HTTP triggers, external requests must pass the authentication before they can be processed by functions.

Signature authentication and JSON Web Token (JWT) authentication policies can be configured for HTTP triggers.

Signature authentication

If a signature authentication policy is configured for an HTTP trigger, requests must be signed by using the assigned AccessKey IDs and AccessKey secrets. The AccessKey IDs and AccessKey secrets are passed to Function Compute for verification. For more information, see Signature authentication.

This authentication method is highly secure, but the signature algorithm must be implemented on clients, which is costly. In addition, the AccessKey IDs and AccessKey secrets are stored on clients, which leads to data leakage risks. You can use Security Token Service (STS) tokens to prevent this issue. However, architectural complexity is introduced.

JWT authentication

JWT is a popular and secure mechanism for API authorization and access. It is suitable for low-security client scenarios such as JavaScript or web frontend. For more information, see Configure JWT authentication for HTTP triggers.

CORS request processing

By default, Function Compute allows you to invoke functions across origins. The following items describe the default configurations of response headers of Function Compute.

  • Access-Control-Allow-Origin: the origin header of the request.

  • Access-Control-Allow-Credentials: the default value is true.

  • Access-Control-Expose-Headers: custom headers of Function Compute.