Help Center> Message & SMS> API Reference> APIs> SMS Sending and Receiving APIs> Calling APIs> Authentication
Updated on 2023-07-06 GMT+08:00
View PDF

Authentication

AK/SK or X-WSSE authentication is required for calling APIs.

AK/SK authentication mode is recommended because the algorithm is more secure.

AK/SK Authentication (Recommended)

  • AK/SK authentication supports API requests with a body not larger than 12 MB.
  • The method of obtaining the AK, SK, and endpoint in this authentication is different from that in common AK/SK authentication.

AK/SK is used to sign requests and the signature is then added to the request headers for authentication.

  • Application Key (AK): access key ID, which is a unique identifier used in conjunction with a secret access key to sign requests cryptographically.
  • Application Secret (SK): a key used together with the AK to sign requests. The AK and SK identify senders and prevent requests from being altered.

You can sign requests using an AK/SK based on the signature algorithm or using the signing SDK. This document provides signature SDKs and API calling examples in multiple languages, such as Java, Go, Python, and C. You can find the language you need in Signing SDKs and Demo and integrate the SDK into your application by referring to the examples and API calling description. Replace the AK/SK in the demos with the Application Key and Application Secret obtained from the Message & SMS console, and replace the Endpoint/HOST with the application access addresses described in API Usage Description. X-Project-Id, X-Domain-Id, and Project_Id are not involved.

Unlike the SDKs provided by services, the signing SDK is used only for signing.

X-WSSE Authentication

X-WSSE authentication is used for calling SMS sending APIs. The X-WSSE token is a string with a single HTTP header line.

X-WSSE format: UsernameToken Username="Application key value", PasswordDigest="Value of PasswordDigest", Nonce="Random string", Created="Time when the random string is generated"
  • PasswordDigest: The value is generated based on Base64 (SHA256 (Nonce + Created + Password)). The string consisting of Nonce, Created, and Password is SHA256 encrypted and does not contain plus signs (+) or spaces. Password indicates the value of application secret.
  • Nonce: When a platform user sends a request, a 1–128 character string with letters and digits is generated, for example, 66C92B11FF8A425FB8D4CCFE0ED9ED1F.
  • Created: indicates the time when the random string is generated. Standard UTC is used, for example, 2018-02-12T15:30:20Z. The time formats vary by programming language. For details, see Table 3.

When you call SMS sending APIs, add the obtained X-WSSE token to the request header by referring to the following example:

POST /sms/batchSendSms/v1 HTTP/1.1
x-real-ip: 10.10.10.10 
x-real-port: 10443 
host: ompap.inner
content-length: 184 
date: Fri, 13 Apr 2018 06:31:39 GMT
authorization: WSSE realm="SDP",profile="UsernameToken",type="Appkey"
x-wsse: UsernameToken Username="ARBRz4bAXoFgEH7o4Ew308eXc1RA",PasswordDigest="NDA1MWIwNjI2ZTkyNWFlM2FhMTE5NDE1YTk5NjU1YWE4NjNlZTY1MmRhYzkxZGViNzczZjdjMjkzZWQ4ZjAwNA==",Nonce="ac1c911c4792492687f8f6b2264a491e",Created="2018-05-26T00:35:30Z"
accept: application/json
content-type: application/x-www-form-urlencoded

from=1069********0012&to=%2B86155****5678&templateId=abcdefghabcdefghabcdefghabcdefgh&templateParas=%5B%22520520%22%5D&statusCallback=http%3A%2F%2F205%2E145%2E111%2E168%3A9330%2Freport
Parent topic: Calling APIs