Updated on 2025-06-24 GMT+08:00

Authentication

Requests for calling an API can be authenticated in either of the following methods:

  • Authentication using tokens: General requests are authenticated using tokens.

  • AK/SK-based authentication: Requests are authenticated by encrypting the request body using an Access Key ID/Secret Access Key (AK/SK) pair.

Token Authentication

A token is a character string generated by the server and is used as a token for a client to send a request. After the first login, the server generates a token and returns the token to the client. The client only needs to carry the token to request data, and does not need to carry the username and password again. The validity period of a token is 24 hours, which starts from the time when the client obtains the token. If the same token needs to be used for authentication, it is recommended that the token be cached to avoid frequent calling. Before the token expires, you must update the token or obtain a new token. Otherwise, the authentication on the server will fail after the token expires.

Obtaining a new token does not affect the validity of the existing token.

A token is used to acquire temporary permissions. Token-based authentication adds a token to the request header during API calling to obtain permissions to operate APIs.

Call the API Obtaining a User Token Through Password Authentication to obtain the token. The following is an example:

POST https://iam.cn-north-4.myhuaweicloud.com/v3/auth/tokens 
Content-Type: application/json 

{ 
    "auth": { 
        "identity": { 
            "methods": [ 
                "password" 
            ], 
            "password": { 
                "user": { 
                    "name": "username", 
                    "password": "********", 
                    "domain": { 
                        "name": "domainname" 
                    } 
                } 
            } 
        }, 
        "scope": { 
            "project": { 
                "name": "projectname" 
            } 
        } 
    } 
}

Note: username indicates the IAM username, password indicates the password for logging in to Huawei Cloud, domainname indicates the account name, and projectname indicates the project name. You can obtain them from the My Credentials page.

Figure 1 API credential - obtaining credential information

In the response to the API used to obtain a user token, X-Subject-Token is the desired user token.

After a token is obtained, the X-Auth-Token header field must be added to requests to specify the token when calling other APIs. For example, if the token is ABCDEFG..., X-Auth-Token: ABCDEFG... can be added to a request as follows:

GET https://iotda.cn-north-4.myhuaweicloud.com/v5/iot/{project_id}/products/{product_id}
Content-Type: application/json 
X-Auth-Token: ABCDEFG....

AK/SK-based Authentication

AK/SK-based authentication supports API requests with a body not larger than 12 MB. For API requests with a larger body, token-based authentication is recommended.

In AK/SK-based authentication, AK/SK is used to sign requests and the signature is then added to the request headers for authentication.

  • AK: access key ID. It is a unique ID associated with an SK. AK is used together with SK to sign requests.

  • SK: secret access key. It is used together with an AK to sign requests. They can identify request senders and prevent requests from being modified.

In AK/SK-based authentication, you can use AK/SK to sign requests based on the V11-HMAC-SHA256 signature algorithm.

For details about how to implement the Java signature, see DerivedAKSKSigner.java in the signature module of the Huawei Cloud SDK.

For details about how to implement the Python signature, see DerivationAKSKSigner in signer.py of the Huawei Cloud SDK.

For details about how to implement the Go signature, see derived_signer.go in the signature module of the Huawei Cloud SDK.

For details about how to implement the PHP signature, see DerivedAKSKSigner.php in the signature module of the Huawei Cloud SDK.

For details about how to implement the Node.js signature, see DerivedAKSKSigner.ts in the signature module of the Huawei Cloud SDK.

For details about how to implement the C# signature, see DerivedSigner.cs in the signature module of the Huawei Cloud SDK.

The signature SDK provides only the signature function. You are advised to use SDK provided by IoTDA.