These terms cover the key concepts you need to know before you create and publish APIs in API Gateway.
|
Term |
Description |
|
Application |
An application represents the identity of an API caller. Each application has an AppKey and AppSecret pair that the caller uses to authenticate requests. You must create an application before calling any API operation. |
|
AppKey and AppSecret |
Every application has a unique key pair: an AppKey and an AppSecret. To call an API operation, include the AppKey as a request parameter and use the AppSecret to compute a signature. API Gateway verifies this signature to authenticate the caller. |
|
Encrypted signature |
A signature is a string computed from the request and the AppSecret, and attached to every API request. API Gateway uses the signature to verify that the request comes from an authorized caller. |
|
Authorization |
Authorization grants an application permission to call a specific API operation. Only the API owner can authorize applications. An application cannot call an API operation until it has been authorized. |
|
API lifecycle |
An API operation goes through several stages: created, debugged, published, and unpublished. The API owner manages these transitions. The API definition may also be updated and versioned during the lifecycle. |
|
API definition |
An API definition is the full set of configurations that describe how an API operation works. It includes the backend service address, request format, parameter mapping rules, and response format. API Gateway uses the definition to mediate between what the caller sends and what the backend receives. |
|
Parameter mapping |
Parameter mapping lets the API owner define rules that transform an incoming API request into the format the backend service expects. This means callers and backend services can use different parameter names and structures. |
|
Parameter verification |
Parameter verification checks whether incoming request parameters meet the rules defined by the API owner. Requests that fail validation are rejected by API Gateway before they reach the backend. |
|
Constant parameter |
A constant parameter is a fixed value that the API owner configures in the API definition. API Gateway automatically adds it to every request sent to the backend — callers never include it themselves. |
|
System parameter |
A system parameter is a gateway-level value that API Gateway automatically appends to every request before routing it to the backend. For example, CaClientIp captures the caller's IP address. |
|
API group |
An API group is the organizational unit for managing API operations in API Gateway. You must create an API group before you can create any API operation. |
|
Default second-level domain name |
A default second-level domain name is the domain name that API Gateway automatically assigns to an API group when the group is created. Use it to test API calls during development. |
|
Independent domain name |
An independent domain name is a domain name bound to an API group. API callers use this domain name to call API operations in the group. You must bind an independent domain name to an API group before publishing any API operation in that group. |
|
Signature key |
A signature key adds an extra layer of authentication between API Gateway and the backend service. After you create a signature key and bind it to an API operation, API Gateway signs every forwarded request using that key. |
|
Throttling policy |
A throttling policy sets limits on how many requests are allowed within a given time window. Limits can be applied at three levels: per API operation, per user, or per application. Supported time windows are per minute, per hour, and per day. |