Help Center/ Cloud Search Service_KooSearch/ API Reference/ Calling APIs/ Authentication
Updated on 2025-08-13 GMT+08:00
View PDF
Share

Authentication

You can use either of the following authentication methods when calling an API:

  • IAM: Requests are authenticated using a token.
  • App: You can use app authentication after API providers open their APIs on APIG. Depending on the API authentication method you choose, you need to obtain the required credentials. For details about app authentication, see Calling APIs Through App Authentication. We recommend AppCode-based authentication.

IAM Authentication

IAM uses token-based authentication.

  • The validity period of a token is 24 hours. When using a token for authentication, cache it to prevent frequently calling the API used to obtain a user token.
  • Ensure that the token is valid while you use it. Using a token that will soon expire may cause API calling failures.

A token specifies certain permissions in a computer system. During API authentication using a token, the token is added to the request header to get permissions for calling the API.

When calling the API to obtain a user token, you must set auth.scope in the request body to project.

{
	"auth": {
		"identity": {
			"methods": [
				"password"
			],
			"password": {
				"user": {
					"name": "username",    //Username
					"password": "********",    //Login password
					"domain": {
						"name": "domainname"    //Name of the account to which the user belongs
					}
				}
			}
		},
		"scope": {
			"project": {
				"name": "xxxxxxxx"    //Project name
			}
		}
	}
}

After a token is obtained, the X-Auth-Token header field must be added to requests to specify the token when calling other APIs. For example, if the token is ABCDEFJ...., X-Auth-Token: ABCDEFJ.... can be added to a request as follows:

POST https://iam.ap-southeast-1.myhuaweicloud.com/v3.0/OS-USER/users
Content-Type: application/json
X-Auth-Token: ABCDEFJ....

App Authentication

AppCode authentication in App authentication is a relatively more straightforward authentication method for API calling. For authentication, it adds the X-Apig-AppCode parameter to the HTTP request header, without the need for a complex signature-signing process. Use app authentication where the client environment is secure and controllable, for example, for API calling between internal systems.

To use app authentication, publish the API to the target environment, and while doing this, select app authentication as the authentication method. For details, see .

The procedure for enabling app authentication is as follows:

  1. Go to the details page of a KooSearch service.
    1. Log in to the CSS management consoleCSS management console.
    2. In the navigation pane on the left, choose KooSearch > KooSearch Document Q&A.
    3. Click the name of the target service to go to the service details page.
  2. Click the API Management tab.
  3. Select the published API and click Publish in the Operation column.
  4. Click Credential Management. The credential management page is displayed.

  5. Click the name of the credential used by the API. On the displayed credential details page, check the value of AppCode.

  6. When using Postman to send a request, add the parameter X-Apig-AppCode to the request header, and ignore the request signature. Set the value to the generated AppCode, as shown in the figure below.

Parent topic: Calling APIs