Updated on 2025-07-14 GMT+08:00

Authentication

Requests for calling an API can be authenticated using either of the following methods:

  • Token authentication: Requests are authenticated using a token.
  • Access Key ID/Secret Access Key (AK/SK) authentication: Requests are authenticated by encrypting the request body using an AK/SK.

AK/SK Authentication

  • AK/SK authentication supports API requests with a body no larger than 12 MB. For API requests with a larger body, use token authentication.
  • You can use the AK/SK in a permanent or temporary access key. The X-Security-Token field must be configured if the AK/SK in a temporary access key is used, and the field value is security_token of the temporary access key.

In AK/SK authentication, the AK/SK is used to sign requests and the signature is then added to the requests for authentication.

  • AK: access key ID. It is a unique ID associated with an SK. AK is used together with SK to sign requests.
  • SK: secret access key. It is used together with an access key ID to identify a sender who initiates a request and to cryptographically sign requests, preventing the request from being modified.
In AK/SK authentication, you can use an AK/SK to sign requests based on the signature algorithm or use the signing SDK to sign requests. For details about how to sign requests and use the signing SDK, see AK/SK Signing and Authentication Guide.

The signing SDK is only used for signing requests and is different from the SDKs provided by services.

Token Authentication

  • The validity period of a token is 24 hours. When using a token for authentication, cache it to prevent frequently calling the IAM API for obtaining a user token.
  • Ensure that the token is valid while you use it. Using a token that will soon expire may cause API calling failures.

A token specifies temporary permissions in a computer system. Token authentication adds the token in a request as its header during API calling to obtain permissions to use APIs.

When calling the API used to obtain a user token, you must set auth.scope in the request body to project.

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "name": "username",
                    "password": "********",
                    "domain": {
                        "name": "domainname"
                    }
                }
            }
        },
        "scope": {
            "project": {
                "name": "xxxxxxxx"
            }
        }
    }
}

After a token is obtained, add X-Auth-Token to the request header to specify the token when calling other APIs. For example, if the token is ABCDEFJ...., X-Auth-Token: ABCDEFG.... can be added to the request header as follows:

POST https://iam.ap-southeast-1.myhuaweicloud.com/v3.0/OS-USER/users
POST https://iam.eu-west-101.myhuaweicloud.com/v3.0/OS-USER/users
Content-Type: application/json
X-Auth-Token: ABCDEFG....