To call model services from untrusted environments such as browsers and mobile apps, use a secure backend service to generate temporary API keys. This prevents your permanent API key from being exposed.
A temporary API key inherits all permissions from the API key used to create it, including access restrictions for specific models or knowledge bases.
Prerequisites
Get a permanent API key on the Key Management (Singapore), Key Management (Virginia), Key Management (Beijing), or Key Management (China (Hong Kong)) page. Then set the key as the DASHSCOPE_API_KEY environment variable. For more information, see Configure an API key as an environment variable.
Request example
By default, a temporary API key is valid for 60 seconds. Set a custom time-to-live (TTL) between 1 and 1,800 seconds using the expire_in_seconds parameter.
API keys differ by region.
The following example uses the Singapore region endpoint. Replace WorkspaceId with your actual workspace ID. For the Beijing region, replace the URL with: https://dashscope.aliyuncs.com/api/v1/tokens?expire_in_seconds=1800
# This is the Singapore region URL. Replace WorkspaceId with your actual workspace ID. URLs differ by region.
curl -X POST "https://{WorkspaceId}.ap-southeast-1.maas.aliyuncs.com/api/v1/tokens?expire_in_seconds=1800" \
-H "Authorization: Bearer $DASHSCOPE_API_KEY"
Response example
Successful response example
{
"token":"st-****",
"expires_at":1744080369
}
Response parameters
|
Parameter |
Type |
Description |
Example |
|
token |
String |
Generated temporary API key. |
st-**** |
|
expires_at |
Number |
Expiration time as a UNIX timestamp, in seconds. |
1744080369 |
Error response example
{
"code":"InvalidApiKey",
"message":"Invalid API-key provided.",
"request_id":"902fee3b-f7f0-9a8c-96a1-6b4ea25af114"
}
Response parameters
|
Parameter |
Type |
Description |
Example |
|
code |
String |
Error code. For causes and solutions, see Error codes. |
InvalidApiKey: The API key is invalid. |
|
message |
String |
Error message. |
Invalid API-key provided. |
|
request_id |
String |
Request ID. |
902fee3b-f7f0-9a8c-96a1-6b4ea25af114 |
FAQ
Q: Can I manually delete a temporary API key?
A: No. Temporary API keys have a fixed lifecycle and expire automatically. You cannot delete them before they expire.