API Gateway

API Gateway provides you with high-performance and highly available API hosting services to deploy and release your APIs on Alibaba Cloud products.

Activate Now Contact Sales

API Gateway

API Gateway provides you with a complete API hosting service, sharing your capabilities, services, and data with your partners in the form of APIs.

  • API security is ensured by adopting multiple protection measures, including attack defense, anti-replay, encryption request, identity authentication, access management, and throttling. This minimizes the risks associated with opening APIs.

  • This service provides a full scope of lifecycle management functions, including API definition, test, release, and removal, etc., as well as generating SDKs and API instructions, in order to improve the efficiency of API management and iteration.

  • The service provides convenient operation and management tools, such as monitoring, alarms, and analysis, which reduce API operation and maintenance costs.

API Gateway maximizes capability multiplexing. It allows enterprises to share capabilities, and to focus on their individual business and achieve a win-win situation.


Increased Productivity

Upon completion of API input, it relieves you from the hassle of API management. API Gateway will take care of API documentation maintenance, SDK maintenance, API version management, and other tedious tasks for you. This will significantly reduce your daily maintenance costs.

Only Pay for Actual Services

API Gateway service is activate for free, and you don’t need to pay for the daily API management, document generation, SDK generation, throttling, and access control. You will only pay for costs of actual API calls.

Large Scale and High-performance

Through distributed deployment and automatic scaling, API Gateway can handle massive API access requests and provide highly secure and efficient gateway functions for your backend service with lower latency.

Secure and Stable

You can open your service to API Gateway in the intranet environment without worrying about security issues. API Gateway also provides strict access management, accurate throttling, and comprehensive alarm and monitoring, presenting you a secure, stable, and controllable service.

Product Details

Below are the main features of API Gateway.


API Lifecycle Management

  • This service supports a range of lifecycle management functions, including API release, API testing, and API removal.

  • It supports routine API management, API version management, quick API rollback, and other maintenance functions.

Comprehensive Security Protection

  • API Gateway supports multiple authentication methods, as well as HMAC (SHA-1, SHA-256) algorithms for signatures.

  • It supports HTTPS protocol and SSL encryption.

  • It supports anti-attack, anti-injection, anti-request replay, and anti-request tampering.

Flexible Permission Control

  • You can use an app as your identity of API request, and the gateway supports app-based permission control.

  • Only authorized apps can send requests to the API.

  • API providers can manually authorize an app, issue a permission to call an API.

Precise Throttling

  • Throttling can be used to control the visits to API, the request frequency to an app, or the request frequency to a user.

  • Throttling can be measured in minutes, hours, or days.

  • The gateway also supports throttling exceptions, allowing you to grant special apps and users.

Request Verification

  • The service supports parameter type and parameter value (range, enumeration, regular expression, JSON Schema) verification. Invalid parameter types and values will be rejected instantly by API Gateway. This avoids wasting the backend resources on invalid requests and significantly reduces backend service processing costs.

Data Conversion

  • By configuring mapping rules, you can translate data between the frontend and backend.

  • The service supports frontend request data conversion.

Monitoring and Alarms

  • API Gateway provides visualized real time API monitoring, including call volume, traffic volume, response times, and error rates. The system dimensions will be adjusted accordingly.

  • It supports historical data query, to facilitate overall analysis.

  • You can also configure warning methods (SMS or email) and subscribe to warning information, to gain the API operational status in real time.

Automated Tools

  • API Gateway automatically generates API documentation, which can be viewed online.

  • API Gateway provides demo SDKs in multiple languages. This reduces API operation and management costs.

  • API Gateway provides visual debugging tools on the page for the purpose of rapid testing and connected on-line.


API Gateway satisfies your many needs in various scenarios. You can open APIs to partners and developers, monetize your enterprise's core competence and establish an API ecosystem. Your APIs can adapt to multiple terminals (such as mobile and Internet devices), separate the frontend and backend of the system; support internal system to realize integration, modulation and microservice.

1. Establish an ecosystem for capability sharing and coordinated development

Faced with a growing number of users with diversified needs, enterprises must continuously explore new business models, to solve various scenario-specific problems for their customers. API Gateway can provide standard API services, allowing other developers to integrate some or all APIs into their apps. This will create new services and help your enterprise to establish a business ecosystem and promote cross-sector innovation.

  • With API Gateway, you can share your core competence with your partners, to deepen your cooperation and promote coordinated development.

2. Secure implementation of multi-terminal unification in a single service system with multi-terminal output

As mobile and IoT devices are becoming increasingly common, make your instructions as simple as possible.

  • You need to maintain a single service system that can transfer output to multiple terminals. By adjusting the API definition, your service system can support apps devices web terminals and other terminals.

  • One set of APIs can process different scenarios, which significantly reduce operation and management costs.

3. Easy system integration and standardization

  • With API Gateway, you can standardize inter-system interfaces and use standardized interfaces for system integration.

  • This service allows you to quickly integrate and manage resources, eliminate the redundancies and waste caused by rapid development and concentrate resources on business development.


API Gateway charges the users that provide APIs at the following rates:

API Gateway billing is calculated based on two dimensions: call volume (quantity) and traffic. Each dimension has its own billing rules and users are charged for both simultaneously.

API Gateway provides free service activation, free API creation, free API release, and free API management.

When an API is called, both call volume (quantity) and traffic that incur will be charged.

[Call Volume (Quantity)] Billing Description

After activating API Gateway, you get one million calls for free each (calendar) month for the first year. The calls exceeding the limit are billed based on the tiered price schedule below.

Tiered Billing Total Monthly Calls Over Specified Amount Units: USD/million Calls
Tier 1 > 0
< 10 million (including)
Tier 2 > 10 million
< 100 million (including)
Tier 3 > 100 million 0.45

Call volume (quantity) billing description:

a) Billing item: API call volume (quantity)

b) Payment method: Volume-based post payment

c) Billing cycle: Monthly

d) Bill generation time: The bill is usually provided within one hour (no later than 3 hours) after the end of the current billing cycle.

e) Billing currency: USD

f) Effective call quantity: All the API requests received by API Gateway are counted as valid calls and included in the quantity used for billing.

Description of Pay-By-Traffic

Bill is generated based on downstream traffic at the rates listed below.

Billing Item Price Unit Mainland China Hong Kong Asia Pacific SE 3 (Singapore) Asia Pacific SE 3 (Kuala Lumpur) EU Central Asia Pacific SOU 1(Mumbai) Asia Pacific SE 5 (Jakarta) Asia Pacific NE 1 (Tokyo)
Traffic (downstream traffic) USD/GB 0.125 0.156 0.117 0.112 0.07 0.077 0.117 0.12

Description of pay by traffic:

a) Billing item: Traffic fees (downstream traffic)

b) Payment method: Volume-based post payment

c) Billing cycle: Monthly

d) Bill generation time: The bill is generally provided within one hour (no later than 3 hours) after the end of the current billing period.

e) Billing currency: USD

f) If your backend service is not in the same region as API Gateway, or not hosted on Alibaba Cloud, additional fees for the traffic between API Gateway and backend service will be generated. The billing standards are the same as above.

Usage Instructions

A. Service suspension

When you have overdue bills, your APIs cannot be called (operations related to API management can still be performed) and you will be reminded via SMS or email to pay your overdue bill.

B. Service restoration

After you successfully recharge your account within six months of the service suspension, the service will automatically be activated and you can continue to use the service. If you do not recharge your account within six months, API Gateway has the right to clear all your API configuration information.

Getting Started

This page describes the documents for API Gateway.

You can use API Gateway to open APIs, or to request others to open APIs.

Please note the different purpose of documents during viewing.

If you use API Gateway to open APIs, please read

User Manual (Open APIs) Quick Start (Open APIs)

If you want to request others to open APIs with API Gateway, please read

User Manual (Call APIs) Quick Start (Call APIs)

Of course, you can use API Gateway's APIs and SDKs to perform operations.

Now let's start inputting APIs!


The APIs and SDKs mentioned below are interfaces and tools provided to external users by API Gateway. These interfaces and tools enable you to use the API Gateway product without the console.

These APIs are different from those opened by the users with API Gateway. To find SDKs you can use to send requests to others' open APIs, go to the SDK Download page on the console.

Go to the Console and Download SDK Demo Go to the Console and Download SDK Demo

Developer resources


1. What are the limits of the product?

Please refer to the relevant documents:

Restrictions for Consumer Restrictions for Provider

2. Do I need additional security products?

It depends on your security requirements. API Gateway already adopts several basic security measures, including identity authentication, request encryption, and tamper-proofing. If you have higher security requirements, please combine API gateway with other security products.

3. Do I need to buy Server Load Balancer for the API Gateway?

API Gateway will maintain a balanced load between the client and the gateway, and the gateway will automatically expand according to the number of requests received. If your backend services are on multiple ECS instances, you may need Server Load Balancer to balance the load between these ECS instances.

4. What if payment is overdue?

API Gateway is a Pay-As-You-Go service. If you don't pay on time, your account will be in an 'overdue' state. While in the 'overdue' state, your API services will be suspended, and will only resume once you've paid your overdue balance. If the payment is not made within six months, the API Gateway service may delete your configuration information.

5. Why do I fail to access my backend service by API Gateway?

6. If the requestor passes an undefined parameter, how will API Gateway respond?

API Gateway will discard the parameter and will not pass it to the backend service.

7. Support the HTTPS protocol or not?

Yes, you can start with "https://" when you enter the backend service address. And your backend SSL certificate needs to be valid.

8. How long does it take to release the API?

Takes effect immediately. Be careful when releasing.

9. How long does the monitoring function delay?

The monitoring is basically real-time, and maximum delay is within one minute.

10. How to choose the Region API that the Group belong to?

Try to choose the same Region as the backend ECS, Docker.

11. What is the subdomain of the API Group? What are the limits?

The subdomain name is assigned by API Gateway. It can only be used during API testing. It is not recommended to open the subdomain name. All APIs in the Group share the same subdomain name. If you request API by visiting the subdomain name, the daily access upper limit is 1000 times.

12. What is the Custom Domain?

If you want to provide the API service, you need to bind a custom domain name with the API Group. Others can request your APIs by visiting the custom domain. The custom domain name can be a second-level or third-level domain. Before binding, you need to add the custom domain name to the subdomain of the API Group.

13. How to ensure the security between API Gateway and my backend service?

You can configure the backend signature key on API Gateway, or use HTTPS to encrypt the request.

Backend Signature

14. Is it necessary to release the API a second time if I want to replace the backend signature key?

No, you just need to create a new key and bind it to API.

15. How to change the backend key without interrupting the service?

Because the binding of the key and API takes effect immediately, you need to support both the old and new keys initially, and then remove the old one after the replacement.

16. What is the app in API Gateway?

App was created by the requestor as an identity. Each app has an AppKey and AppSecret, which are included in the signature request. API Gateway requires app signature authentication and privilege authentication.

17. How does API Gateway realize the permission control?

An app needs to be created as an identity for you while you request API service with API Gateway. Only if a requestor has the privilege or buys API service, can he or she request API.

18. How to troubleshoot when a request fails?

Please check the following items:

  • Verify that the domain name has been resolved;

  • Verify that the domain name has been bound to the subdomain of API group;

  • Verify that the API has been released;

  • Verify that the app is authorized;

  • Verify that the backend service address is correct and it can be accessed properly;

  • Check the time-out configuration and make sure that the backend service returns within the set time;

  • Check the throttling limit.

Please refer to the documentation for error information:

Error Code Table