Help Center/ API Gateway/ User Guide/ Configuring API Policies/ Configuring Traditional API Policies/ Configuring Signature Verification for Backend Services
Updated on 2024-11-27 GMT+08:00

Configuring Signature Verification for Backend Services

Signature keys are used by backend services to verify the identity of APIG.

A signature key consists of a key and secret, and can be used only after being bound to an API. When an API bound with a signature key is called, APIG adds signature details to the API request. The backend service of the API signs the request in the same way, and verifies the identity of APIG by checking whether the signature is consistent with that in the Authorization header sent by APIG.

Usage Guidelines

  • An API can only be bound with one signature key in a given environment, but each signature key can be bound to multiple APIs.
  • An API can be bound with only one policy of the same type.
  • Policies are independent of APIs. A policy takes effect for an API only after they are bound to each other. When binding a policy to an API, you must specify an environment where the API has been published. The policy takes effect for the API only in the specified environment.
  • After you bind a policy to an API, unbind the policy from the API, or update the policy, you do not need to publish the API again.
  • Taking an API offline does not affect the policies bound to it. The policies are still bound to the API if the API is published again.
  • Policies that have been bound to APIs cannot be deleted.

Procedure

Figure 1 Signature key process flow
  1. Create a signature key on the APIG console.
  2. Bind the signature key to an API.
  3. APIG sends signed requests containing a signature in the Authorization header to the backend service. The backend service can use different programming languages (Java, Go, Python, JavaScript, C#, PHP, C++, and C) to sign each request, and check whether the two signatures are consistent.

Creating a Signature Key Policy

  1. Go to the APIG console.
  2. Select a dedicated gateway at the top of the navigation pane.
  1. In the navigation pane, choose API Management > API Policies.
  2. On the Policies tab, click Create Policy.
  3. On the Select Policy Type page, select Signature Key in the Traditional Policy area.
  4. Set the policy information.

    Table 1 Signature key parameters

    Parameter

    Description

    Name

    Signature key name.

    Type

    Authentication type. Options: HMAC, Basic auth, AES, and Public key.

    Public key is available only if public_key_enable has been turned on on the Parameters page of the gateway.

    Signature Algorithm

    Select an AES signature algorithm. Options:

    • aes-128-cfb
    • aes-256-cfb

    Key

    Set the key based on the signature key type you have selected.

    • If Type is HMAC, enter the key of the key pair used for app authentication.
    • If Type is Basic auth, enter the username used for basic authentication.
    • If Type is set to AES, enter the key used for AES authentication.
    • If Type is Public key, enter the public key used for authentication.

    Secret

    Enter the secret information based on the key type you have selected.

    • If Type is HMAC, enter the secret of the key pair used for app authentication.
    • If Type is Basic auth, enter the password used for basic authentication.
    • If Type is set to AES, enter the vector used for AES authentication.
    • If Type is Public key, enter the private key used for authentication.

    Confirm Secret

    Enter the secret again.

  5. Click OK.

    After the policy is created, perform the operations described in Binding the Policy to APIs for the policy to take effect for the API.

Binding the Policy to APIs

  1. Click a policy name to go to the policy details page.
  2. Select an environment and click Select APIs.
  3. Select the API group, environment, and required APIs.

    APIs can be filtered by API name or tag. The tag is defined during API creation.

  4. Click OK.

    • If an API no longer needs this policy, click Unbind in the row that contains the API.
    • If there are multiple APIs that no longer need this policy, select these APIs, and click Unbind above the API list. You can unbind a policy from a maximum of 1000 APIs at a time.

Verifying the Signing Result

Sign each backend request by following the instructions in Signature Algorithm, and check whether the backend signature is consistent with the signature in the Authorization header of the API request.