Updated on 2022-08-08 GMT+08:00


Requests for calling an API can be authenticated using either of the following methods:

  • Token-based authentication: Requests are authenticated using a token.
  • AK/SK-based authentication: Requests are authenticated by encrypting the request body using an AK/SK pair.

Token-based Authentication

The validity period of a token is 24 hours. When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token.

A token specifies temporary permissions in a computer system. During API authentication using a token, the token is added to requests to get permissions for calling the API.

When calling the API to obtain a user token, you must set auth.scope in the request body to project.

    "auth": { 
        "identity": { 
            "methods": [ 
            "password": { 
                "user": { 
                    "name": "username", 
                    "password": "********",  //The password is that of the current account. If you log in using a subaccount, set this parameter to the password of the subaccount.
                    "domain": { 
                        "name": "domainname" 
        "scope": { 
            "project": { 
                "name": "xxxxxxxx" 

After a token is obtained, the X-Auth-Token header field must be added to requests to specify the token when calling other APIs. For example, if the token is ABCDEFJ...., X-Auth-Token: ABCDEFJ.... can be added to a request as follows:

POST https://{{IAM endpoint}}/v3/auth/projects
Content-Type: application/json 
X-Auth-Token: ABCDEFJ....

AK/SK-based Authentication

AK/SK-based authentication and token-based authentication apply only to requests whose body size is less than 12 MB.

In AK/SK-based authentication, AK/SK is used to sign requests and the signature is then added to the requests for authentication.

  • AK: access key ID, which is a unique identifier used in conjunction with a secret access key to sign requests cryptographically.
  • SK: secret access key used in conjunction with an AK to sign requests cryptographically. It identifies a request sender and prevents the request from being modified.

In AK/SK-based authentication, you can use an AK/SK to sign a request based on the signature algorithm.