Updated on 2023-12-19 GMT+08:00

Preparation

Before calling APIs in app authentication mode, complete the following operations:

  • Obtain API request information

    On the console of a gateway, choose API Management > APIs, and click an API name to go to the details page. On the APIs tab, view the domain name, request path, and request method.

  • Publish APIs in an environment

    On the console of a gateway, choose API Management > APIs, and click an API name to go to the details page. On the APIs tab, navigate to Frontend Configuration > Frontend Definition, and view the environment in which the API has been published.

  • Obtain API authentication information

    To sign an API request cryptographically through app authentication (signature authentication), the key and secret of a credential authorized to call the API are required. On the console of a gateway, choose API Management > Credentials. Go to the details page of a credential, and obtain the key and secret.

    • AppKey or Key: access key ID of an app. It is the unique ID associated with a secret access key. The access key ID and secret access key are together used to obtain an encrypted signature for a request.
    • AppSecret or Secret: secret access key used together with an access key ID to sign requests. The access key ID and secret access key can be together used to identify a request sender to prevent the request from being modified.
  • When sending an API request, add the current time to the X-Sdk-Date header and the signature information to the Authorization header.

    The local time on the client must be synchronized with the clock server to avoid a large error in the value of the X-Sdk-Date request header.

    APIG checks the time format and compares the time with the time when APIG receives the request. If the time difference exceeds 15 minutes, APIG will reject the request.