Updated on 2025-09-15 GMT+08:00

Authentication

You can use either of the authentication methods below to call APIs.

  • AK/SK-based authentication: Requests are encrypted using an AK/SK.
  • Token-based authentication: Requests are authenticated using a token.

AK/SK-based Authentication

  • AK/SK-based authentication supports only requests with a body not larger than 12 MB. For requests with a larger body, use token-based authentication.
  • You can use either a permanent or temporary AK/SK. If you use a temporary AK/SK, the request must contain the X-Security-Token field whose value is the security_token of the temporary AK/SK.

In AK/SK-based authentication, the AK/SK is used to sign requests and the signature is then added to the request for authentication.

  • AK: a unique identifier used with an SK to sign requests cryptographically.
  • SK: a key used with an AK to sign requests, identify a request sender, and prevent the request from being modified.
In AK/SK-based authentication, you can use an AK/SK to sign requests based on the signature algorithm or use the signing SDK to sign requests. For details about how to sign requests and use the signing SDK, see AK/SK Signing and Authentication Guide.

The signing SDK is only used for signing requests and is different from the SDKs provided by services.

Token-based Authentication

  • A token obtained from IAM is valid for 24 hours. You can cache a token to avoid frequent API calls.
  • Before using a token, ensure that the token will not expire during the API calling.

A token is a temporary credential that grants permissions. During token-based authentication, the token is added to requests to get permissions for calling an API.

When calling an API to obtain a user token, you must set auth.scope in the request body to project.

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "name": "username",
                    "password": "********",
                    "domain": {
                        "name": "domainname"
                    }
                }
            }
        },
        "scope": {
            "project": {
                "name": "xxxxxxxx"
            }
        }
    }
}

After obtaining the token, add X-Auth-Token to the request header of each API request. The token you obtained is the value of X-Auth-Token. For example, if the token is ABCDEFG...., add X-Auth-Token: ABCDEFG.... to the request header as follows:

POST https://iam.ap-southeast-1.myhuaweicloud.com/v3.0/OS-USER/users
Content-Type: application/json
X-Auth-Token: ABCDEFG....