All Products
Search
Document Center

API Gateway:Manage authorizations

Last Updated:Jul 17, 2024

The API authorization feature is used to authorize an application to call an API. An application is an identity that is used to call an API. An application must be authorized before it can be used to call an API.

Prerequisites

Alibaba Cloud App is used as the security authentication method of the API.

1. Application

An application is an identity that is used to call an API. Each application has a key pair that consists of an AppKey and an AppSecret. When you use an application to call an API, the AppKey of the application must be specified as a header in the request and the AppSecret must be used to calculate a signature string that is attached to the request. For information about how to calculate and pass a signature, see Use digest authentication to call an API.

  • Whoever obtains the AppKey and AppSecret pair of an application has all permissions on the application. You must keep AppKey and AppSecret pairs confidential. If you accidentally leak an AppKey and AppSecret pair, you can reset the pair in the API Gateway console.

  • You can create multiple applications and authorize them to call different APIs based on your business requirements. Note that only applications, instead of Alibaba Cloud accounts, can be authorized to call APIs.

  • In the API Gateway console, you can create, modify, or delete an application, view the details of an application, manage key pairs, and view the API that an application is authorized to call.

  • You can add new AppKey and AppSecret pairs to an application and view the added key pairs on the application details page. Each of the new key pairs has all permissions on the application. If you no longer require an added key pair, you can also delete the key pair. However, you cannot delete the default key pair of an application, which is generated when you create the application.

Create an application

  1. Log on to the API Gateway console. In the left-side navigation pane, choose Call APIs > Apps. Click Create App in the upper-right corner.

  2. In the Create App dialog box, configure the App Name parameter and click Confirm.

Note

Other optional parameters include Set Tags, Custom AK, Extended Fields, and Description. You can configure these parameters based on your business requirements.

  • Set Tags: Add tags to your application for easier management.

  • Custom AK: You can create a custom AccessKey pair and AppCode for the application. You can also modify the custom AccessKey pair and AppCode after you create the application. The modification immediately takes effect.

  • Extended Fields: You can configure an extended field for the application. The system passes the extended field as a system parameter named CaAppExtInfo to the backend service.

    Important

    For dedicated instances purchased before August 2023, if extension fields do not take effect, you must submit a ticket to have your instance upgraded.

2. Authorize an application to call an API

Applications must be authorized before they can be used to call an API. Only authorized applications can call the API.

  • If you create your own application and API, you can authorize the application to call the API directly in the console.

  • If you purchase an API from Alibaba Cloud Marketplace, you can authorize your application to call the purchased API. Alibaba Cloud Marketplace also creates an authorized application for you during the purchase. For more information, go to the Alibaba Cloud Marketplace console.

  • If you want to call an API of another Alibaba Cloud account, API authorization must be performed by that account, also known as the API provider. You must create an application and provide the ID of the application to the API provider. Then, the API provider can find your application by using the application ID and authorize your application to call the API.

Procedure for API authorization

2.1 Log on to the API Gateway console. In the left-side navigation pane, choose Manage APIs > APIs. Find the API that you want to manage and choose image /> Authorize in the Actions column.

API授权2.2 In the Authorize dialog box, specify the Stage and Authorization Validity Period parameters and then select an application to authorize. Select My Apps from the Choose Apps for Authorization drop-down list and click Search. The applications that belong to your account are automatically loaded.

If you want to authorize an application that belongs to another account, select App ID from the Choose Apps for Authorization drop-down list, enter the ID of the application, and click Search. The application is displayed.

Important

If your dedicated instance was purchased before November 2023 and new key pairs that are added to applications do not take effect, you must submit a ticket to have your instance upgraded. Default key pairs that are generated when applications are created are not subject to version limits.