Preparation

Before calling APIs in app authentication mode, complete the following operations:

• Obtain API request information

  On the console of a gateway, choose API Management > APIs, and click an API name to go to the details page. On the APIs tab, view the domain name, request path, and request method.

• Publish APIs in an environment

  On the console of a gateway, choose API Management > APIs, and click an API name to go to the details page. On the APIs tab, navigate to Frontend Configuration > Frontend Definition, and view the environment in which the API has been published.

• Obtain API authentication information

  To sign an API request cryptographically through app authentication (signature authentication), the key and secret of a credential authorized to call the API are required. On the console of a gateway, choose API Management > Credentials. Go to the details page of a credential, and obtain the key and secret.

  

  • AppKey or Key: access key ID of an app. It is the unique ID associated with a secret access key. The access key ID and secret access key are together used to obtain an encrypted signature for a request.
  • AppSecret or Secret: secret access key used together with an access key ID to sign requests. The access key ID and secret access key can be together used to identify a request sender to prevent the request from being modified.
• When sending an API request, add the current time to the X-Sdk-Date header and the signature information to the Authorization header.
  

  • The local time on the client must be synchronized with the clock server to avoid a large error in the value of the X-Sdk-Date request header.
  • APIG checks the time format and compares the time with the time when APIG receives the request. If the time difference exceeds 15 minutes, APIG will reject the request.