Help Center/ CodeArts/ API Reference/ Calling APIs/ Authentication
Updated on 2025-12-18 GMT+08:00
View PDF
Share

Authentication

You can use either of the following authentication methods when calling APIs:

  • AK/SK-based authentication: Requests are encrypted using an Access Key ID/Secret Access Key (AK/SK) pair.
  • Token-based authentication. General requests are authenticated using tokens.

AK/SK-based Authentication

AK/SK-based authentication uses AK/SK to sign requests, and the signature is then added to request headers for authentication.

  • AK: An access key ID, which is a unique identifier associated with a secret access key and is used together with a secret access key to sign requests cryptographically.
  • SK: A key that is used in conjunction with the AK to cryptographically sign requests. Signing a request identifies the sender and prevents the request from being modified.

In AK/SK-based authentication, you can sign requests either using an AK/SK pair based on the signature algorithm or using the signing SDK. For details about how to sign requests and use the signing SDK, see AK/SK Signing and Authentication Guide.

Unlike the SDKs provided by services, the signing SDK is only used for signing requests.

Constraints

  • AK/SK-based authentication supports API requests with a body no larger than 12 MB. For API requests with a larger body, you should use token-based authentication.
  • You can use the AK/SK in either a permanent or temporary access key. If you are using a temporary access key, you must configure the X-Security-Token field whose value is the security_token of the temporary access key.
  • API Gateway checks the time format and compares the request time with the time when API Gateway received the request. If the time difference exceeds 15 minutes, API Gateway will reject the request. Therefore, the local time on the client must be synchronized with the clock server to avoid a large offset in the value of the X-Sdk-Date request header.

Token-based Authentication

A token specifies temporary permissions in a computer system. During API authentication using a token, the token is included in the request headers to get permissions for calling the API.

  • The validity period of a token is 24 hours. When using a token for authentication, cache it to prevent frequently calling the API for obtaining a user token.
  • Ensure that the token is valid when you use it. Using a token that will soon expire may cause API calling failures.

When calling the API to obtain a user token, set auth.scope in the request body to project.

{ 
     "auth": { 
         "identity": { 
             "methods": [ 
                 "password" 
             ], 
             "password": { 
                 "user": { 
                     "name": "username", 
                     "password": "********", 
                     "domain": { 
                         "name": "domainname" 
                     } 
                 } 
             } 
         }, 
         "scope": {
             "project": {
                 "name": "xxxxxxxx"
             }
         }
     } 
 }

After a token is obtained, the X-Auth-Token header field must be added to requests to specify the token when calling other APIs. For example, if the token is ABCDEFG...., add X-Auth-Token: ABCDEFG.... to a request as follows:

GET https://iam.ap-southeast-3.myhuaweicloud.com/v3.0/OS-USER/users
Content-Type: application/json
X-Auth-Token: ABCDEFJ....
Parent topic: Calling APIs