Updated on 2025-07-18 GMT+08:00

Authentication

You can use either of the following authentication methods when calling APIs:

  • AK/SK-based authentication: Requests are authenticated by encrypting the request body using an AK/SK. AK/SK-based authentication is recommended because it is more secure than token-based authentication.
  • Token-based authentication: Requests are authenticated using a token.

AK/SK-based Authentication

An AK/SK is used to verify the identity of a request sender. In AK/SK-based authentication, a signature needs to be obtained and then added to the request header.

  • AK: access key ID, which is a unique identifier used in conjunction with a secret access key to sign requests cryptographically.
  • SK: secret access key used in conjunction with an AK to sign requests cryptographically. It identifies a request sender and prevents the request from being modified.

The following demo shows how to sign a request and use an HTTP client to send an HTTPS request.

Download the demo project from https://github.com/api-gate-way/SdkDemo.

If you do not need the demo project, download the API Gateway signing tool and reference it.

Obtain the download address of the API Gateway signing tool from the enterprise administrator.

Decompress the downloaded package to obtain a JAR file. Reference the JAR file to the dependency path, as shown below.

  1. Generate an AK/SK. If an AK/SK file has already been obtained, skip this step and locate the downloaded AK/SK file. Generally, the file name will be credentials.csv.

    1. Log in to the console.
    2. Hover the mouse pointer over the username and choose My Credentials from the drop-down list.
    3. In the navigation pane, choose Access Keys.
    4. Click Create Access Key.
    5. On the displayed page, enter the login password.
    6. Enter the verification code received by email or SMS message.

      For users created in IAM, if no email address or phone number was specified during the user creation, only a login password is required.

    7. Click OK to download the access key.

      Keep the access key secure.

  2. Decompress the demo project.
  3. Import the demo project into Eclipse.

    Figure 1 Selecting Existing Projects into Workspace
    Figure 2 Selecting the demo project
    Figure 3 Example structure

  4. Sign the request.

    The request signing method is integrated in the JAR files imported in 3. The request needs to be signed before it is sent. The signature will then be added as part of the HTTP header to the request.

    The demo code is classified into three parts:
    • AccessService: an abstract class that merges the GET, POST, PUT, and DELETE methods into the access method.
    • Demo: an execution entry used to simulate the sending of GET, POST, PUT, and DELETE requests.
    • AccessServiceImpl: implements the access method, which contains the code required for communicating with API Gateway.
    1. (Optional) Add request header fields.

      Locate the following rows in the AccessServiceImpl.java file, cancel code line shielding, and replace the subproject ID and account ID with the actual ones.

      //TODO: Add special headers. 
      //request.addHeader("X-Project-Id", "xxxxx"); 
      //request.addHeader("X-Domain-Id", "xxxxx");
    2. Edit the main() method in the Demo.java file, and replace the bold text with actual values.

      Replace the bold texts with actual values. If you use other methods, such as POST, PUT, and DELETE, see the corresponding comments.

      Replace region, serviceName, ak/sk, and url with the actual values. In the demo, the URL for querying a VPC was used. Replace it with the required URL. To obtain the project ID needed in the URL, see Obtaining the Account ID and Project ID. To obtain the endpoint, see Endpoints.

      //TODO: Replace region with the name of the region in which the service to be accessed is located.  
       private static final String region = ""; 
        
       //TODO: Replace vpc with the name of the service you want to access. For example, ecs, vpc, iam, and elb. 
       private static final String serviceName = ""; 
        
       public static void main(String[] args) throws UnsupportedEncodingException 
       { 
       //TODO: Replace the AK and SK with those obtained on the My Credential page. 
       //TODO: Directly writing AK/SK in code is risky. For security, encrypt your AK/SK and store them in the configuration file or environment variables. 
       //TODO: Before running this example, set environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK. 
       String ak = System.getenv("HUAWEICLOUD_SDK_AK"); 
       String sk = System.getenv("HUAWEICLOUD_SDK_SK"); 
        
       //TODO: To specify a project ID (multi-project scenarios), add the X-Project-Id header. 
       //TODO: To access a global service, such as IAM, DNS, CDN, and TMS, add the X-Domain-Id header to specify an account ID. 
       //TODO: To add a header, find "Add special headers" in the AccessServiceImple.java file. 
        
       //TODO: Test the API 
       String url = "https://{Endpoint}/v1/{project_id}/vpcs"; 
       get(ak, sk, url); 
        
       //TODO: When creating a VPC, replace {project_id} in postUrl with the actual value. 
       //String postUrl = "https://serviceEndpoint/v1/{project_id}/cloudservers"; 
       //String postbody ="{\"vpc\": {\"name\": \"vpc\",\"cidr\": \"192.168.0.0/16\"}}"; 
       //post(ak, sk, postUrl, postbody); 
        
       //TODO: When querying a VPC, replace {project_id} in url with the actual value. 
       //String url = "https://serviceEndpoint/v1/{project_id}/vpcs/{vpc_id}"; 
       //get(ak, sk, url); 
        
       //TODO: When updating a VPC, replace {project_id} and {vpc_id} in putUrl with the actual values. 
       //String putUrl = "https://serviceEndpoint/v1/{project_id}/vpcs/{vpc_id}"; 
       //String putbody ="{\"vpc\":{\"name\": \"vpc1\",\"cidr\": \"192.168.0.0/16\"}}"; 
       //put(ak, sk, putUrl, putbody); 
        
       //TODO: When deleting a VPC, replace {project_id} and {vpc_id} in deleteUrl with the actual values. 
       //String deleteUrl = "https://serviceEndpoint/v1/{project_id}/vpcs/{vpc_id}"; 
       //delete(ak, sk, deleteUrl); 
       }
    3. Compile the code and call the API.

      In the Package Explorer area on the left, right-click Demo.java and choose Run AS > Java Application from the shortcut menu to run the demo code.

      You can view API call logs on the console.

Token-based Authentication

  • The validity period of a token is 24 hours. If a token is used for authentication, cache it to prevent frequent API calling.
  • Ensure that the token is valid when you use it. Using a token that will soon expire may cause API calling failures.

A token specifies temporary permissions in a computer system. During API authentication using a token, the token is added to requests to get permissions for calling the API.

You can obtain a token by calling the API for obtaining a user token. This API is project-level. When calling it, you must set auth.scope in the request body to project.

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "name": "username",
                    "password": "********",
                    "domain": {
                        "name": "domainname"
                    }
                }
            }
        },
        "scope": {
            "project": {
                "name": "xxxxxxxx"
            }
        }
    }
}

After a token is obtained, the X-Auth-Token header field must be added to requests to specify the token when calling other APIs. For example, if the token is ABCDEFG...., add X-Auth-Token: ABCDEFG.... to a request as follows:

POST https://{{endpoint}}/v3.0/OS-USER/users
Content-Type: application/json
X-Auth-Token: ABCDEFG....