Updated on 2025-01-21 GMT+08:00

Authentication

Requests for calling an API can be authenticated using either of the following methods:
  • Token authentication: Requests are authenticated using tokens.
  • AK/SK authentication: Requests are encrypted using AK/SK pairs. AK/SK authentication is recommended because it is more secure than token authentication.

AK/SK Authentication

  • AK/SK authentication supports API requests with a body not larger than 12 MB. For API requests with a larger body, token authentication is recommended.
  • The AK/SK can be either a permanent access key or a temporary access key. If it is a temporary access key, the X-Security-Token field must be added to the request. The value is the security_token of the temporary access key.

In AK/SK authentication, AK/SK is used to sign requests and the signature is then added to the requests for authentication.

  • AK: access key, which is a unique identifier used together with an SK to sign requests cryptographically.
  • SK: secret access key, which is used together with an AK to sign requests cryptographically. It identifies a request sender and prevents the request from being modified.

In AK/SK authentication, you can use an AK/SK to sign requests based on the signature algorithm or using the signing SDK. For details about how to sign requests and use the signing SDK, see AK/SK Signing and Authentication Guide.

The signing SDK is only used for signing requests and is different from the SDKs provided by services.

Token Authentication

  • A token is valid for 24 hours. When using a token for authentication, cache it to avoid frequent calling.
  • To avoid token expiration during an API call, ensure that the time taken to complete a call is shorter than the time left before a token expires.

A token is used to acquire temporary permissions. During API authentication using a token, the token is added to the request header to get permissions for calling the API.

You can obtain a token by calling the Obtaining a User Token API. Global Accelerator is a global service. You can obtain a global token by calling the Obtaining User Token API. When you call the API, set auth.scope in the request body to domain.

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "name": "username",
                    "password": "********",
                    "domain": {
                        "name": "domainname"
                    }
                }
            }
        },
        "scope": {
            "domain": {
                "name": "xxxxxxxx"
            }
        }
    }
}

After a token is obtained, the X-Auth-Token header field must be added to requests to specify the token when calling other APIs. For example, if the token is ABCDEFJ...., X-Auth-Token: ABCDEFJ.... can be added to a request as follows:

1
2
3
POST https://iam.ap-southeast-1.myhuaweicloud.com/v3.0/OS-USER/users
Content-Type: application/json
X-Auth-Token: ABCDEFJ....