Updated on 2022-02-21 GMT+08:00

Creating and Using a Signature Key

Scenario

Signature keys are used by backend services to verify the identity of API Gateway.

A signature key consists of a key and secret, and can be used only after being bound to an API. When an API bound with a signature key is called, API Gateway adds signature details to the API request. The backend service of the API signs the request in the same way, and verifies the identity of API Gateway by checking whether the signature is consistent with that in the Authorization header sent by API Gateway.

  • You can create a maximum of 30 signature keys.
  • An API can only be bound with one signature key in a given environment, but each signature key can be bound to multiple APIs.

Procedure

  1. Create a signature key on the API Gateway console.
  2. Bind the signature key to an API.
  3. API Gateway sends signed requests containing a signature in the Authorization header to the backend service. The backend service can use different programming languages (such as Java, Go, Python, JavaScript, C#, PHP, C++, C, and Android) to sign each request, and check whether the two signatures are consistent.
Figure 1 Signature key process flow

Creating a Signature Key

  1. Log in to the management console.
  2. Click in the upper left corner and choose API Gateway.
  3. In the navigation pane, choose API Publishing > Signature Keys.
  4. Click Create Signature Key.
  5. In the Create Signature Key dialog box, set the parameters listed in Table 1.

    Table 1 Parameters for creating a signature key

    Parameter

    Description

    Name

    Signature key name.

    Key

    Combined with Secret to form a signature key pair.

    Secret

    Combined with Key to form a signature key pair.

    Confirm Secret

    Enter the secret again.

  6. Click OK.

Binding a Signature Key to an API

  1. In the navigation pane, choose API Publishing > Signature Keys.
  2. Bind a signature key to an API. You can use one of the following methods:

    • In the Operation column of the signature key to be bound to an API, click Bind to API.
    • Click the name of the target signature key.

  3. Click Select API.
  4. Specify an API group, environment, and API name keyword to search for the desired API.
  5. Select the API and click OK.

    If a signature key is no longer needed for an API, unbind it from the API.

Verifying the Signing Result

Sign each backend request by following the instructions in chapter "Creating Signatures for Backend Requests" of the Developer Guide, and check whether the backend signature is consistent with the signature in the Authorization header of the API request.