This topic describes the best practice of integrating Alibaba Cloud IDaaS EIAM M2M authentication with AI Gateway to securely access Model Studio AI services using JWT tokens, avoiding the risks of static keys. - Identity as a Service

Use the Machine-to-Machine (M2M) authentication feature of Alibaba Cloud Identity as a Service (IDaaS) EIAM together with AI Gateway to let your AI applications call Alibaba Cloud Model Studio large language model (LLM) APIs using short-lived access tokens instead of static API keys.

Why avoid static API keys

Traditional AI applications embed a static API key in code or configuration files to call LLM APIs. This approach creates security risks:

A leaked API key grants permanent access until you manually revoke it.
Static keys often carry broader permissions than any single application needs.
Key rotation is manual and error-prone.

The solution: AI Gateway supports JWT-formatted tokens. Instead of storing a plaintext key, your application requests a short-lived access token from IDaaS EIAM using the OAuth 2.0 client credentials grant. AI Gateway validates the token, then calls Model Studio on your behalf. Static credential management is centralized at the gateway layer, and no secret ever appears in your application code.

How it works

The following diagram shows the runtime request flow:

Your application sends a token request to the IDaaS EIAM token endpoint using its client_id and client_secret.
IDaaS EIAM validates the credentials and returns a short-lived JWT access token.
Your application includes the access token as a Bearer token in the Authorization header and calls AI Gateway.
AI Gateway validates the JWT against the IDaaS EIAM JWKS endpoint locally, without calling IDaaS for every request.
After authorization succeeds, AI Gateway uses the pre-configured Model Studio API key to call the backend LLM service and returns the result to your application.

Prerequisites

Before you begin, make sure you have:

An Alibaba Cloud account with access to IDaaS EIAM, AI Gateway, and Model Studio
A Model Studio API key (sk-xxxx) for the model you want to use
An existing IDaaS EIAM instance

Step 1: Get a Model Studio API key

Go to the Key Management page of Alibaba Cloud Model Studio (Singapore | Beijing).(Singapore| Beijing)
Copy an existing API key from the list, or click Create API Key to create one.
In the Create API Key dialog, set Owner Account to Alibaba Cloud account and Owner Workspace to Default Workspace, then click OK.
Click the copy icon next to the newly created key to copy it.

For more information, see Obtain an API key.

Step 2: Set up AI Gateway to proxy Model Studio

Create an Internet NAT gateway

AI Gateway runs in a Virtual Private Cloud (VPC) and needs outbound internet access to reach Model Studio. Create an Internet NAT gateway in the same VPC and region you will use for AI Gateway.

Go to the Internet NAT Gateway purchase page, configure the following settings, and click Buy Now.

Configuration item	Description	Example value
Billing method	Only Pay-as-you-go is supported.	Pay-as-you-go
Region	Region where the NAT gateway will be created.	China (Hangzhou)
Network and zone	VPC and vSwitch for the NAT gateway. This cannot be changed after creation.	TEST_VPC
Elastic IP address	Select an existing elastic IP address (EIP) or purchase a new one.	Purchase new EIP

In the VPC console, go to NAT Gateway > Internet NAT gateway and locate the instance you created.
Click the instance ID to open the details page.
On the SNAT management tab, click Create SNAT entry.
Set SNAT entry granularity to VPC, set Elastic IP address to the associated EIP, and click OK.

For more information, see Create an Internet NAT gateway and associate an EIP.

Create an AI Gateway instance

Go to the AI Gateway purchase page, configure the following settings, and click Buy Now.

The following settings create a public-network instance with minimum specifications. Keep the default values for any setting not listed here. For more information, see Create a gateway instance.

Configuration item	Description	Example value
Product type	Billing type. Supports Dedicated Instance (Pay-as-you-go), Dedicated Instance (Subscription), and Serverless (Pay-as-you-go).	Dedicated Instance (Pay-as-you-go)
Region	Must match the region of the NAT gateway you created.	China (Hangzhou)
Gateway name	Custom name for the gateway.	test_gateway
Gateway specifications	Node specifications. Not applicable to Serverless instances.	aigw.small.x1
Network access type	Supports Public Network, Private Network, and Public and Private Network.	Public Network
VPC	Must match the VPC of the NAT gateway you created.	TEST_VPC
Zone selection	Automatic assignment or Manual selection.	Automatic assignment
vSwitch	vSwitch for the gateway nodes.	VSW_1
Service-linked Role	Click all Create Service-linked Role buttons to create the following two roles. For more information, see Service-linked role. <br>- AliyunServiceRoleForNativeApiGw<br>- AliyunServiceRoleForNativeApiGwInvokeFC	-

On the Confirm order page, review the AI Gateway configuration details and click Buy Now.
Return to the AI Gateway Instances page. Wait for the instance status to change to Running (this takes 1 to 5 minutes).
Note
The public endpoint provided by AI Gateway has a daily call limit of 1,000 requests and is for testing only. For production environments, resolve your business domain name to this public endpoint using a CNAME record and use the custom domain for all production calls. The public endpoint is listed under Overview > Endpoints > Endpoints and IPs on the instance details page.

Create an AI service backend

In the AI Gateway console, go to AI Gateway > Instances and click the target instance ID.
In the left navigation pane, click Services, then click Create service.

Configure the following settings and click OK.

The following settings use Alibaba Cloud Model Studio as an example. For more information, see Create a service.

Configuration item	Description	Example value
Service source	Type of service to proxy.	AI service
Service name	Custom name for the service.	test_bailian
Large model provider	The LLM provider to proxy.	Alibaba Cloud Model Studio
Model protocol	Keep the default value.	OpenAI/v1
Endpoint (base_url)	The endpoint provided by the model provider. Keep the default value.	https://dashscope.aliyuncs.com/compatible-mode/v1
Generation method	How to provide the API key.	Manual input
API-KEY	The Model Studio API key you obtained in Step 1.	sk-4901\\\\\\8a59

Create a Model API

On the instance details page, go to Model API in the left navigation pane and click Create Model API.

Select the Text generation scenario and click Create. Configure the following settings and click OK.

For more information, see Manage Model APIs.

Configuration item	Description	Example value
Protocol	Determines the built-in route schema. Use this to generate compatible interfaces such as OpenAI, DashScope, and vLLM.	OpenAI compatible
API name	Must be globally unique within your account.	test_api
Domain name	The domain name used to access this API. The combination of domain name and base path must be unique.	example.aliyun.com
Service type	Routing method for backend services.	Single model service
Service name	The backend service to route to.	test_bailian

On the API details page, click the Consumer authentication tab. Click Configuration information > Edit, turn on the Enable switch, set Authentication method to JWT, and click OK.

Step 3: Configure an IDaaS M2M application

You need two M2M applications in IDaaS EIAM: an M2M Server application (the OAuth 2.0 resource server, representing AI Gateway) and an M2M Client application (the OAuth 2.0 client, representing your AI application).

Create an IDaaS instance

If you do not have an IDaaS EIAM instance, create one first:

In the IDaaS Management Console, go to EIAM.
Click IDaaS > Create instance. Set a Description, accept the Alibaba Cloud Product Service Agreement, and click Create.
In the EIAM instance list, click Console in the Actions column to open the instance management console.
Go to Application management > M2M application. In the Note on upgrade dialog, click Upgrade now.
On the upgrade page, enable M2M management and click Buy Now.

Create an M2M Server application

The M2M Server application acts as the OAuth 2.0 resource server. It defines the permission scopes that clients can request and provides the JWKS endpoint for JWT verification.

In the EIAM instance management console, go to Application management > M2M application.
Click Add application, set Application name to "M2M Server", and click Add.
On the Server permission control tab, under Authorized application, turn on the Server permission control switch. Set the ResourceServer identifier to the following value, then click Confirm.
```
cloud:idaas:aigateway:alibabacloud:<account-id>
```
Replace <account-id> with your Alibaba Cloud account ID.
Under Permission management, click Create scope. Set the Scope name and Scope value, then click Confirm.
Turn on the M2M Client switch under Authorized Applications. In the Permission list, select the permission you added in the previous step and click Confirm.
On the General tab, copy and save the Public key endpoint URL from Application settings. You will use this URL when configuring AI Gateway JWT authentication in Step 4.

Create an M2M Client application

The M2M Client application represents your AI application and holds the credentials it uses to request access tokens.

In the EIAM instance management console, go to Application management > M2M application.
Click Add application, set Application name to "M2M Client", and click Add.
On the General tab, click Certificate management > Client secret credential > Add client_secret. Select a Client secret validity period and click Confirm.
Click View next to client_secret. Copy and save the following values for later use:
- client_id (example: app_m5doo******)
- client_secret (example: CS5v3F******)
Copy and save the Token endpoint URL from Application settings (example: https://******.aliyunidaas.com/api/v2/iauths_system/oauth2/token).
On the Client permission management tab, turn on the Custom permissions switch.

Step 4: Configure AI Gateway JWT authentication

Create a consumer in AI Gateway that uses JWT authentication. The consumer tells AI Gateway how to validate tokens issued by IDaaS EIAM.

Create a consumer and configure JWT authentication

In the AI Gateway console, go to AI Gateway > Consumers and click Create consumer.

Configure the following settings and click Create.

For more information, see Create a consumer.

Configuration item	Description	Example value
Consumer name	Custom name for the consumer.	test_consumer
Status	Consumer status. You can change this after creation.	Enabled
Authentication method	Set to JWT.	JWT
Creation method	How AI Gateway fetches the JWKS.	Remote fetch
JWKS URL	The public key endpoint URL from the M2M Server application (Step 3).	URL from Public key endpoint
Consumer ID in JWKS payload > key	The JWT claim used as the consumer identifier.	`scope`
Consumer ID in JWKS payload > Value	The scope value to match.	Scope value from Step 3

Grant API permissions to the consumer

On the Consumers list page, click the consumer name to open its details page, then click the Consumer authorization tab.
Click the Model API tab, then click Grant.
In the authorization panel, select the Model API you created in Step 2 and click OK.

For more information, see Authorization management.

Step 5: Verify the configuration

Get an M2M access token

Important

This example uses the client_secret_post authentication method. For information about other authentication methods, including OIDC federation, PKCS#7 signature authentication, and PrivateCA certificate authentication, see M2M Client Token call examples.

Run the following command to request an access token from IDaaS EIAM:

curl --location --request POST '<Token endpoint. Example: https://******.aliyunidaas.com/api/v2/iauths_system/oauth2/token>' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'client_id=<client_id. Example: app_m5doo******>' \
  --data-urlencode 'client_secret=<client_secret. Example: CS5v3F******>' \
  --data-urlencode 'scope=<ResourceServer Identifier. Example: cloud:idaas:aigateway:alibabacloud:******>|<Scope value>'

Replace the placeholders with the values you saved in Step 3:

<Token endpoint>: The Token endpoint URL from the M2M Client application.
<client_id>: The client_id from the M2M Client application.
<client_secret>: The client_secret from the M2M Client application.
<ResourceServer Identifier>: The ResourceServer identifier from the M2M Server application.
<Scope value>: The Scope value from the M2M Server application.

The scope parameter must include both the ResourceServer identifier and the scope value, separated by a vertical bar (|).

A successful response looks like:

{
  "token_type": "Bearer",
  "access_token": "eyJraWQi******Nsn2u7Jcw",
  "expires_in": 3600,
  "expires_at": 1765448721
}

Copy the access_token value. It expires after expires_in seconds (typically 3,600 seconds).

Call the LLM API through AI Gateway

Use the access token as a Bearer token to send a request to AI Gateway:

curl --location '<Domain name. Example: http://env-d4t6******kv0-cn-hangzhou.alicloudapi.com>/v1/chat/completions' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer <M2M Token>' \
  --data '{
    "model": "qwen-max",
    "stream": true,
    "max_tokens": 1024,
    "top_p": 0.95,
    "temperature": 1,
    "messages": [
      {
        "role": "user",
        "content": "<prompt>"
      }
    ]
  }'

Important

There must be exactly one space between Bearer and the access token. Replace <Domain name> with the public endpoint from Overview > Endpoints > Endpoints and IPs on the AI Gateway instance details page.

A streaming response from Model Studio confirms that the end-to-end integration is working.

Debug using the AI Gateway console

To verify the configuration using the built-in debug tool:

In the AI Gateway console, go to AI Gateway > Instances and click the target instance ID.
In the left navigation pane, click Model API, then click the Model API name.
In the upper-right corner, click Debug.
Configure the following parameters:
- Domain name: Select a public endpoint, such as env-d4t******kv0-cn-hangzhou.alicloudapi.com.
- Under Header, click Add parameter and add Authorization with the value Bearer <access_token>.
- Prompt: Enter a prompt to send to the LLM.
Click Send request and view the result in the Model response section.

End-to-end Python example

The following example combines token acquisition and the API call in a single script:

import os
import requests
from openai import OpenAI

# Step 1: Get an M2M access token from IDaaS EIAM
TOKEN_ENDPOINT = os.environ.get("IDAAS_TOKEN_ENDPOINT")
CLIENT_ID = os.environ.get("IDAAS_CLIENT_ID")
CLIENT_SECRET = os.environ.get("IDAAS_CLIENT_SECRET")
SCOPE = os.environ.get("IDAAS_SCOPE")  # Format: <ResourceServer Identifier>|<Scope value>

token_response = requests.post(
    TOKEN_ENDPOINT,
    headers={"Content-Type": "application/x-www-form-urlencoded"},
    data={
        "grant_type": "client_credentials",
        "client_id": CLIENT_ID,
        "client_secret": CLIENT_SECRET,
        "scope": SCOPE,
    },
)
token_response.raise_for_status()
access_token = token_response.json()["access_token"]

# Step 2: Call Model Studio through AI Gateway using the access token
AI_GATEWAY_BASE_URL = os.environ.get("AI_GATEWAY_BASE_URL")  # Example: http://env-d4t6******kv0-cn-hangzhou.alicloudapi.com/v1

client = OpenAI(
    base_url=AI_GATEWAY_BASE_URL,
    api_key="unset",
    default_headers={"Authorization": f"Bearer {access_token}"},
)

stream = client.chat.completions.create(
    model="qwen-max",
    messages=[{"role": "user", "content": "Hello, how are you?"}],
    stream=True,
    max_tokens=1024,
    top_p=0.95,
    temperature=1,
)

for chunk in stream:
    if chunk.choices and chunk.choices[0].delta.content:
        print(chunk.choices[0].delta.content, end="", flush=True)

Set the following environment variables before running the script:

Environment variable	Description
`IDAAS_TOKEN_ENDPOINT`	Token endpoint URL from the M2M Client application
`IDAAS_CLIENT_ID`	client_id from the M2M Client application
`IDAAS_CLIENT_SECRET`	client_secret from the M2M Client application
`IDAAS_SCOPE`	`<ResourceServer Identifier>	<Scope value>`
`AI_GATEWAY_BASE_URL`	AI Gateway public endpoint with `/v1` suffix

Production checklist

Recommendation	Details
Use federated authentication	For production, replace `client_secret_post` with a federated credential method such as OIDC federation, PKCS#7 signature authentication, or PrivateCA certificate authentication.
Cache access tokens	Reuse the access token within its validity period (`expires_in` seconds) instead of requesting a new one for every API call. This reduces latency and IDaaS load.
Use a custom domain	The AI Gateway public endpoint has a daily call limit of 1,000 requests. Resolve your business domain name to the public endpoint using a CNAME record and use the custom domain in production.
Apply least privilege	Grant only the minimum scope required to the M2M Client application. Do not share a single client credential across multiple applications with different permission needs.
Rotate client secrets	Rotate the `client_secret` of your M2M Client application regularly and update all services that use it.
Monitor token usage	Track access token issuance and API call volume in IDaaS and AI Gateway to detect anomalous behavior early.