Basic Concepts¶
API¶
A set of predefined functions that encapsulates application capabilities. You can create APIs and make them accessible to users.
When creating an API, you need to configure the basic information and the frontend and backend request paths, parameters, and protocols.
API Group¶
A collection of APIs used for the same service. API groups facilitate API management.
Environment¶
A stage in the lifecycle of an API. An environment, such as API testing or development environment, specifies the usage scope of APIs, facilitating API lifecycle management. The same API can be published in different environments.
To call an API in different environments, you need to add the x-stage header parameter to the request sent to call the API. The value of this parameter is an environment name.
Environment Variable¶
A variable that is manageable and specific to an environment. You can create variables in different environments to call different backend services using the same API.
Request Throttling¶
Controls the number of times APIs can be called by a user, an app, or an IP address during a specific period to protect backend services.
Request throttling can be accurate to the minute and second.
Access Control¶
Access control policies are one of the security measures provided by APIG. They allow or deny API access from specific IP addresses or accounts.
App¶
An entity that requests for APIs. An app can be authorized to access multiple APIs, and multiple apps can be authorized to access the same API.
Signature Key¶
Consists of a key and secret, which are used by backend services to verify the identity of API Gateway and ensure secure access.
When an API bound with a signature key is called, API Gateway adds signature information to the API requests. The backend service of the API signs the requests in the same way, and verifies the identity of API Gateway by checking whether the signature is consistent with that in the Authorization header sent by API Gateway.
VPC Channel¶
A method for accessing VPC resources from API Gateway, allowing you to selectively expose backend services deployed in VPCs to third-party users.
Custom Authentication¶
A mechanism defined with custom rules for API Gateway to verify the validity and integrity of requests initiated by API callers. The mechanism is also used for backend services to verify the requests forwarded by API Gateway.
The following two types of custom authentication are provided:
Frontend custom authentication: A custom authorizer is configured with a function to authenticate requests for an API.
Backend custom authentication: A custom authorizer can be configured to authenticate requests for different backend services, eliminating the need to customize APIs for different authentication systems and simplifying API development. You only need to create a function-based custom authorizer in API Gateway to connect to the backend authentication system.
Simple Authentication¶
Simple authentication facilitates quick response for API requests by adding the X-Apig-AppCode parameter (whose value is an AppCode) to the HTTP request header. API Gateway verifies only the AppCode and does not verify the request signature.
Gateway Response¶
Gateway responses are returned if API Gateway fails to process API requests. API Gateway provides default responses for multiple scenarios and allows you to customize response status codes and content. You can add a gateway response in JSON format on the API Groups page.