Overview

Authentication methods

API Gateway supports four authentication methods. Choose based on your security requirements and deployment environment.

Digest authentication is the recommended approach for most API calls. It provides strong security and broad SDK support — API Gateway SDKs for multiple languages include the signing mechanism, so you don't need to implement it manually.

• To use the SDK-based signing approach, see Use SDKs to call APIs.

• To implement request signing yourself, see Request signature.

For AppCode-based authentication, see Call an API operation by using an AppCode.

For JWT-based authentication, see JWT authentication plug-in.

Network environments

Clients can call APIs over the Internet or over a Virtual Private Cloud (VPC).

For Internet calls, use one of the authentication methods described above.

For VPC calls, see:

• Access API Gateway over a VPC

• Access API Gateway from Function Compute over an internal network

• API calls implemented by API Gateway

App authorization

When an API uses Alibaba Cloud APP authentication, you must authorize an app before it can call that API.

An app is the identity used to call APIs. Each app has an AppKey and AppSecret key pair. When making a call, the app includes the AppKey in the request header and uses the AppSecret to generate a signature.

You can authorize apps you own, or authorize apps that belong to other users by specifying their app IDs.

For details, see Authorize an application to call an API operation.