doc-exports/docs/apiu/guidelines/apig-en-api-180328004.html

<a name="apig-en-api-180328004"></a><a name="apig-en-api-180328004"></a>

<h1 class="topictitle1">AK/SK Authentication</h1>
<div id="body1521445726195"><p id="apig-en-api-180328004__p4081232010247">When you use API Gateway to send requests to underlying services, the requests must be signed using the AK and SK.</p>
<div class="note" id="apig-en-api-180328004__note39290400185533"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="apig-en-api-180328004__p43222010185539">AK is a unique identifier that is associated with a secret access key; the access key ID and secret access key are used together to sign requests cryptographically.</p>
<p id="apig-en-api-180328004__p27812810185625">SK is a key that is used in conjunction with an access key ID to cryptographically sign requests. Signing a request identifies the sender and prevents the request from being altered.</p>
</div></div>
<p id="apig-en-api-180328004__p177381608119">The AK/SK authentication process is as follows:</p>
<ol id="apig-en-api-180328004__ol3895253574"><li id="apig-en-api-180328004__li889518531076"><a name="apig-en-api-180328004__li889518531076"></a><a name="li889518531076"></a>A standard request is created.</li><li id="apig-en-api-180328004__li1541420241986">A to-be-signed string is created using the request and other related information.</li><li id="apig-en-api-180328004__li198402221915"><a name="apig-en-api-180328004__li198402221915"></a><a name="li198402221915"></a>A signature is calculated using the AK/SK and to-be-signed string.</li><li id="apig-en-api-180328004__li68021236101010">The generated signature is added as a header or a query parameter in the HTTP request.</li><li id="apig-en-api-180328004__li12754191891410">After receiving the request, API Gateway performs <a href="#apig-en-api-180328004__li889518531076">1</a> to <a href="#apig-en-api-180328004__li198402221915">3</a> to calculate a signature.</li><li id="apig-en-api-180328004__li1440182718209">The new signature is compared with the signature generated in <a href="#apig-en-api-180328004__li198402221915">3</a>. If they are consistent, the request is processed; otherwise, the request is rejected.</li></ol>
<p id="apig-en-api-180328004__p193791486216"><a href="#apig-en-api-180328004__fig104904517537">Figure 1</a> shows the process of calling APIs through AK/SK authentication.</p>
<div class="fignone" id="apig-en-api-180328004__fig104904517537"><a name="apig-en-api-180328004__fig104904517537"></a><a name="fig104904517537"></a><span class="figcap"><b>Figure 1 </b>API calling process flow</span><br><span><img class="imgResize" id="apig-en-api-180328004__image1749635618277" src="en-us_image_0161965716.png" title="Click to enlarge"></span></div>
<div class="note" id="apig-en-api-180328004__note14106145674716"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="apig-en-api-180328004__ul4407983487"><li id="apig-en-api-180328004__li11407988488">If a failure occurs in any step, the failure will be returned to the client application.</li><li id="apig-en-api-180328004__li1091411114818">The cached token is valid for 15 minutes by default.</li></ul>
</div></div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="apig-en-api-180328005.html">Generating an AK and SK</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="apig-en-api-180328006.html">Signing a Request</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="apig-en-api-180328008.html">Sample Code</a></strong><br>
</li>
</ul>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="apig-en-api-180925010.html">Calling APIs</a></div>
</div>
</div>


<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>