Token Authentication

Application Scenarios

If API requests are authenticated using tokens, the request header must contain X-Auth-Token (token information).

This section describes how to call an API for token authentication.

Procedure

1. Send POST https://IAM endpoint/v3/auth/tokens to obtain the IAM endpoint and the region name in the message body.

   See Regions and Endpoints.

   A cloud service can be deployed globally or at the project level.

   • A project-level service requires a project-level token. When you call the API, set auth.scope in the request body to project. The following services are at the project level: AOM, APIG, AS, BMS, CBR, CCE, Cloud Eye, CSBS, CSS, CTS, DataArts Studio, DC, DCS, DDS, Dedicated WAF, DeH, DIS, DLI, DMS, DNS, DRS, DWS, ECS, EIP, ELB, EVS, GaussDB (for MySQL), GaussDB NoSQL, IMS, KMS, LTS, ModelArts, MRS, NAT, PLAS, RDS, RTS, SDRS, SFS, SMN, SWR, VBS, VPC, VPCEP, VPN, and WAF.

   • A global service requires a global token. When you call the API, set auth.scope in the request body to domain. The following services are global ones: Anti-DDoS, IAM, OBS, and TMS.

   The following shows an example of a project-level service request:

    

   Note

   Replace the texts in italic with actual ones. For details, see Identity and Access Management API Reference.

   Log in to the management console, click your username in the upper right corner, and choose My Credential from the drop-down list. On the My Credentials page, obtain your username, domain name, and project ID.

   {
     "auth": {
       "identity": {
         "methods": [
           "password"
         ],
         "password": {
           "user": {
             "name": "username", // IAM username
             "password": "password",  // IAM user password
             "domain": {
               "name": "domainname" // Name of the domain to which the IAM user belongs
             }
           }
         }
       },
       "scope": {
         "project": {
           "id": "0215ef11e49d4743be23dd97a1561e91" // Project ID
         }
       }
     }
   }
   

   The following shows an example of a global service request:

   {
       "auth": {
           "identity": {
               "methods": [
                   "password"
               ],
               "password": {
                   "user": {
                       "name": "username",   // IAM username
                       "password": "password",  // IAM user password
                       "domain": {
                           "name": "domainname"  // Name of the domain to which the IAM user belongs
                       }
                   }
               }
           },
           "scope": {
               "domain": {
                   "name": "domainname"    // Name of the domain to which the IAM user belongs
               }
           }
       }
   }
   

2. Obtain the token. For details, see section "Obtaining the User Token" in the Identity and Access Management API Reference. If the request is successful, the value of the X-Subject-Token header in the response is the token.

   The following figures illustrate how to use Postman to manually obtain a token.

   

   Figure 1 Example request

   

   Figure 2 Obtain X-Subject-Token from the header of the response message.

3. Call a service API, add the X-Auth-Token header with the token obtained in 2.

last updated: 2025-03-04 00:02 UTC - commit: 9bdf88e63fcd4a49fa159002c1e16c4c045141c2