Authentication
Requests for calling an API can be authenticated using either of the following methods:
- AK/SK authentication: Requests are encrypted using AK/SK pairs. AK/SK-based authentication is recommended because it is more secure than token-based authentication.
- Token-based authentication: Requests are authenticated using a token.
AK/SK-based Authentication

AK/SK-based authentication supports API requests with a body not larger than 12 MB. For API requests with a larger body, token-based authentication is recommended.
In AK/SK-based authentication, AK/SK is used to sign requests and the signature is then added to the request headers for authentication.
- AK: access key ID, which is a unique identifier used in conjunction with a secret access key to sign requests cryptographically.
- SK: secret access key used in conjunction with an AK to sign requests cryptographically. It identifies a request sender and prevents the request from being modified.

The signing SDK is only used for signing requests and is different from the SDKs provided by services.
Token-based Authentication

The validity period of a token is 24 hours. When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token.
A token specifies temporary permissions in a computer system. During API authentication using a token, the token is added to request headers to get permissions for calling the API. You can obtain a token by calling an API.
- For a project-level service, you need to obtain a project-level token. When you call the API, set auth.scope in the request body to project.
- For a global service, you need to obtain a global token. When you call the API, set auth.scope in the request body to domain.
When calling the API used for obtaining a user token, you must set auth.scope in the request body to project.
{ "auth": { "identity": { "methods": [ "password" ], "password": { "user": { "name": "username", //IAM username. "password": $ADMIN_PASS, //IAM password. For security, you are advised to store it in ciphertext in the configuration file or environment variable. "domain": { "name": "domainname" //Name of the account of the IAM user. } } } }, "scope": { "project": { "name": "xxxxxxxx" //Project name. } } } }
After a token is obtained, the X-Auth-Token header field must be added to requests to specify the token when calling other APIs. For example, if the token is ABCDEFG...., X-Auth-Token: ABCDEFG.... can be added to a request as follows:
POST https://iam.myhuaweicloud.eu/v3.0/OS-USER/users Content-Type: application/json X-Auth-Token: ABCDEFG....
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.