Updated on 2022-08-10 GMT+08:00

Authentication

Requests for calling an API can be authenticated using either of the following methods:

  • Token-based authentication: Requests are authenticated using a token.
  • AK/SK-based authentication: Requests are authenticated by encrypting the request body using an AK/SK pair. AK/SK-based authentication is recommended because it is more secure than token-based authentication.

Token-based Authentication

The validity period of a token is 24 hours. If a token is required, the system caches the token to avoid frequent calling.

A token specifies temporary permissions in a computer system. During API authentication using a token, the token is added to a request to get permissions for calling the API.

Obtain a token and add X-Auth-Token to the request header of API calls.

When you call an API to obtain a user token, set auth.scope in the request body to project.

{ 
     "auth": { 
         "identity": { 
             "methods": [ 
                 "password" 
             ], 
             "password": { 
                 "user": { 
                     "name": "username", 
                     "password": "********", 
                     "domain": { 
                         "name": "domainname" 
                     } 
                 } 
             } 
         }, 
         "scope": { 
             "project": { 
                 "name": "xxxxxxxx" 
             } 
         } 
     } 
 }

After a token is obtained, the X-Auth-Token header field must be added to requests to specify the token for calling other APIs. For example, if the token is ABCDEFJ...., X-Auth-Token: ABCDEFJ.... can be added to a request header as follows:

POST https://iam.ap-southeast-3.myhuaweicloud.com/v3/auth/projects 
Content-Type: application/json  
X-Auth-Token: ABCDEFJ....

AK/SK-based Authentication

AK/SK-based authentication supports API requests with a body not larger than 12 MB. For API requests with a larger body, token-based authentication is recommended.

In AK/SK authentication, AK/SK is used to sign requests and the signature is then added to the requests for authentication.

  • AK: access key ID, which is a unique identifier used in conjunction with a secret access key to sign requests cryptographically.
  • SK: secret access key used in conjunction with an AK to sign requests cryptographically. It identifies a request sender and prevents the request from being modified.

In AK/SK-based authentication, you can use an AK/SK to sign requests based on the signature algorithm or using the signing SDK. For details about how to sign requests or use the signing SDK, see AK/SK Signing and Authentication Guide.

The signing SDK is only used for signing requests and is different from the SDKs provided by services.