All Products
Search

This Product

    Alibaba Cloud Model Studio:Generate a temporary API key

    Document Center

    Alibaba Cloud Model Studio:Generate a temporary API key

    Last Updated:Mar 15, 2026

    When calling Model Studio APIs in client-side environments (browser or mobile app), embedding your API key exposes it to users. Exchange it for a temporary token (valid 60 seconds). Intercepted tokens expire before misuse.

    Common scenarios:

    • Client-side applications -- Browser chatbots or mobile apps call Model Studio APIs directly using temporary tokens, without backend proxying.

    • Third-party integrations -- Share temporary tokens with partner applications to make API calls on your behalf without exposing your API key.

    • Short-lived operations -- Protect sensitive requests (data access or deletion) with 60-second tokens.

    Quick start

    Request a token with cURL, then use it in an API call:

    # Step 1: Request a temporary token
curl -s -X POST https://dashscope-intl.aliyuncs.com/api/v1/tokens \
  -H "Authorization: Bearer $DASHSCOPE_API_KEY"

# Response: {"token":"st-****","expires_at":1744080369}

# Step 2: Use the token in place of your API key
curl -X POST <api-endpoint> \
  -H "Authorization: Bearer st-****" \
  -H "Content-Type: application/json" \
  -d '<request-body>'

    Replace $DASHSCOPE_API_KEY with your API key (or use the configured environment variable), st-**** with the token from the response, and <api-endpoint>/<request-body> with your target endpoint and payload.

    Prerequisites

    Before you begin, ensure you have an activated Alibaba Cloud Model Studio account and an API key. Store it as the DASHSCOPE_API_KEY environment variable (see Configure an API key as an environment variable).

    Request a token

    Send a POST request to the token endpoint. Only HTTP requests are supported.

    API keys differ by region. The URL below is for Singapore. For Beijing, use: https://dashscope.aliyuncs.com/api/v1/tokens?expire_in_seconds=1800
    curl -X POST "https://dashscope-intl.aliyuncs.com/api/v1/tokens?expire_in_seconds=1800" \
-H "Authorization: Bearer $DASHSCOPE_API_KEY"

    cURL

    curl -X POST https://dashscope-intl.aliyuncs.com/api/v1/tokens \
  -H "Authorization: Bearer $DASHSCOPE_API_KEY"

    Python

    import os
import requests

api_key = os.environ.get("DASHSCOPE_API_KEY")

response = requests.post(
    "https://dashscope-intl.aliyuncs.com/api/v1/tokens",
    headers={"Authorization": f"Bearer {api_key}"}
)

data = response.json()
print(data)
# Success: {"token": "st-****", "expires_at": 1744080369}

    Node.js

    const apiKey = process.env.DASHSCOPE_API_KEY;

const response = await fetch("https://dashscope-intl.aliyuncs.com/api/v1/tokens", {
  method: "POST",
  headers: { "Authorization": `Bearer ${apiKey}` }
});

const data = await response.json();
console.log(data);
// Success: {"token": "st-****", "expires_at": 1744080369}

    Success response

    {
    "token": "st-****",
    "expires_at": 1744080369
}

    Error response

    {
    "code": "InvalidApiKey",
    "message": "Invalid API-key provided.",
    "request_id": "902fee3b-f7f0-9a8c-96a1-6b4ea25af114"
}

    Use the token in API calls

    Pass the token as a Bearer token in the Authorization header, replacing your API key:

    cURL

    curl -X POST <api-endpoint> \
  -H "Authorization: Bearer st-****" \
  -H "Content-Type: application/json" \
  -d '<request-body>'

    Python

    import requests

# Use the temporary token instead of the API key
temp_token = "st-****"

response = requests.post(
    "<api-endpoint>",
    headers={
        "Authorization": f"Bearer {temp_token}",
        "Content-Type": "application/json"
    },
    json={
        # Your request payload
    }
)

print(response.json())

    Node.js

    // Use the temporary token instead of the API key
const tempToken = "st-****";

const response = await fetch("<api-endpoint>", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${tempToken}`,
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    // Your request payload
  })
});

const data = await response.json();
console.log(data);

    Replace st-**** with the token from the response and <api-endpoint> with your target Model Studio API endpoint.

    Important

    Tokens expire after 60 seconds. Request a new token before expiration. In-flight requests may fail with authentication errors if the token expires mid-request.

    Response parameters

    Parameter Type Description Example
    token String A short-lived token (60 seconds) generated from your API key. st-****
    expires_at Long Token expiration time as a UNIX timestamp in seconds. 1738916382
    code String Error code returned on failure. InvalidApiKey
    message String Error message describing the failure. Invalid API-key provided.
    request_id String A unique request identifier for troubleshooting. 902fee3b-f7f0-9a8c-96a1-6b4ea25af114

    Error codes

    Error code Description
    InvalidApiKey The API key is invalid or revoked. Verify your key is correct.
    Throttling.RateQuota Too many requests. Wait briefly, then retry.
    SystemError An internal error occurred. Retry the request, or contact support if it persists.

    For a full list of error codes, see Error messages.

    Related topics