Updated on 2024-06-27 GMT+08:00

Authentication

Requests for calling an API can be authenticated in either of the following methods:

  • Authentication using tokens: General requests are authenticated using tokens.

  • Access Key ID/Secret Access Key (AK/SK)-based authentication: Requests are authenticated by encrypting the request body using an AK/SK.

Token Authentication

A token is a character string generated by the server and is used as a token for a client to send a request. After the first login, the server generates a token and returns the token to the client. The client only needs to carry the token to request data, and does not need to carry the username and password again. The validity period of a token is 24 hours, which starts from the time when the client obtains the token. If the same token needs to be used for authentication, it is recommended that the token be cached to avoid frequent calling. Before the token expires, you must update the token or obtain a new token. Otherwise, the authentication on the server will fail after the token expires.

Obtaining a new token does not affect the validity of the existing token.

A token is used to acquire temporary permissions. Token-based authentication adds a token to the request header during API calling to obtain permissions to operate APIs.

Call the API Obtaining a User Token Through Password Authentication to obtain the token. The following is an example:

POST https://iam.cn-north-4.myhuaweicloud.com/v3/auth/tokens 
Content-Type: application/json 

{ 
    "auth": { 
        "identity": { 
            "methods": [ 
                "password" 
            ], 
            "password": { 
                "user": { 
                    "name": "username", 
                    "password": "********", 
                    "domain": { 
                        "name": "domainname" 
                    } 
                } 
            } 
        }, 
        "scope": { 
            "project": { 
                "name": "projectname" 
            } 
        } 
    } 
}

Note: username indicates the IAM username, password indicates the password for logging in to Huawei Cloud, domainname indicates the account name, and projectname indicates the project name. You can obtain them from the My Credentials page.

Figure 1 API credential - obtaining credential information

In the response to the API used to obtain a user token, X-Subject-Token is the desired user token.

After a token is obtained, the X-Auth-Token header field must be added to requests to specify the token when calling other APIs. For example, if the token is ABCDEFJ...., X-Auth-Token: ABCDEFJ.... can be added to a request as follows:

GET https://iotda.cn-north-4.myhuaweicloud.com/v5/iot/{project_id}/products/{product_id}
Content-Type: application/json 
X-Auth-Token: ABCDEFJ....

AK/SK-based Authentication

AK/SK-based authentication supports API requests with a body not larger than 12 MB. For API requests with a larger body, token-based authentication is recommended.

In AK/SK-based authentication, AK/SK is used to sign requests and the signature is then added to the request headers for authentication.

  • AK: access key ID. It is a unique ID associated with an SK. AK is used together with SK to sign requests.

  • SK: secret access key. It is used together with an AK to sign requests. They can identify request senders and prevent requests from being modified.

In AK/SK-based authentication, you can sign requests using an AK/SK based on the signature algorithm or using the signing SDK. For details about how to sign requests and use the signing SDK, see AK/SK Signing and Authentication Guide.

The signing SDK is only used for signing requests and is different from the SDKs provided by services.