manage consumers API gateway authentication-API Gateway(API Gateway)-阿里云帮助中心

Create a consumer

Cloud-native API Gateway provides three authentication methods.

Method	Description	When to use
API key	The client adds a credential to the request. The gateway validates its legitimacy and permissions. Less secure than JWT or AK/SK. Protect your credentials carefully.	Lightweight, quick-integration scenarios with low security requirements.
JWT	JWT is a standard for securely transmitting information between a client and a server using HMAC, RSA, or ECDSA signatures. Use JWT for identity verification and access control in the gateway.	Suitable for distributed systems and SSO scenarios.
HMAC	The client uses an AK/SK pair to sign the request content with the HMAC algorithm, then sends the signature to the gateway for validation.	Scenarios that require high data integrity and tamper-proofing.

Create a consumer with API key authentication

Go to the Consumers page in the Cloud-native API Gateway console and select a region.
Click Create a consumer. In the Create Consumer panel, set Consumer Name, select API Key as the authentication method, and complete the following configurations:
- Generation Method:
  - System Generated: The system automatically generates an API key for you.
  - Custom: Specify a custom API key and its source.
- Credential: The custom API key.
- Credential Source:
  
  The location in the request from which the gateway retrieves the API key:
  - Authorization: Bearer <token> (Standard token format)
  - Custom HTTP Header (such as X-API-Key: your-key)
  - Custom Query Parameter (such as ?apikey=your-key)

Create a consumer with JWT authentication

Go to the Consumers page in the Cloud-native API Gateway console and select a region.
Click Create a consumer. In the Create Consumer panel, set Consumer Name, select JSON Web Token (JWT) as the authentication method, and complete the following configurations:
- Creation Method:
  - Local Configuration: Use when the authentication service and gateway are in the same cluster or LAN, performance requirements are high, and keys change infrequently.
  - Remote Fetch: Use with a unified identity center such as OAuth2 or OpenID Connect. Supports dynamic key updates. Ideal for multi-tenant or production environments.
- Key Type (not required for Remote Fetch):
  - Symmetric Key: Generates a default JWKS configuration unique to each consumer, containing the key for token encryption and decryption.
  - Asymmetric Key: Provide a complete JWKS configuration and use a private key to encrypt the token. The gateway decrypts with the public key in the JWKS.
- JWKS:
  - If you select Local Configuration, configure the JWKS based on the JSON Web Key (JWK) specification.
  - If you select Remote Fetch, enter the URL. The system automatically parses the port number, timeout period, and cache duration from the URL.
    
    Important
    The URL must be a domain name, not an IP address.
- JWT Token: Set the JWT token configuration.
  - Type: The type of the token parameter. The default is Header.
  - Key: The token parameter name.
  - Prefix: The token parameter prefix. Defaults to the Authorization header with the Bearer prefix, for example, Authorization: Bearer token.
  - Enable Passthrough: Passes the token parameter through to the backend service.
- Consumer ID in JWT Payload: A key-value pair in the JWT payload that identifies the consumer. Defaults to `uid` with a random string value. Customizable. Sample payload:
```
{
  "uid": "11215ac069234abcb8944232b79ae711"
}
```

Create a consumer with HMAC authentication

Go to the Consumers page in the Cloud-native API Gateway console and select a region.
Click Create a consumer. In the Create Consumer panel, set Consumer Name, select Hash-based Message Authentication Code (HMAC) as the authentication method, and complete the following configurations:
- System Generated: The system automatically generates the Access Key (AK) and Secret Key (SK) for you.
- Custom: Specify a custom AK and SK.

Deactivate a consumer

Log on to the API Gateway console.
In the left-side navigation pane, click Consumers. In the top navigation bar, select a region.
On the Consumers page, find the target consumer, click Disable in the Actions column, and click OK to confirm.

Delete a consumer

Log on to the API Gateway console.
In the left-side navigation pane, click Consumers. In the top navigation bar, select a region.
On the Consumers page, find the target consumer and click Delete in the Actions column. In the confirmation dialog box, enter the consumer name, and click Delete.