If your application needs to call a model service from an untrusted environment, such as a browser or mobile app, use a secure backend service to provide a temporary API key. This prevents your permanent API key from being exposed.
A temporary API key inherits the permissions of the API key that created it, such as access restrictions for specific models or knowledge bases.
Request example
Before generating a temporary API key, make sure you have obtained a permanent API key and configured it as an environment variable. By default, a temporary API key is valid for 60 seconds. You can set a custom timeout period between 1 and 1,800 seconds.
API keys for the Singapore and Beijing regions are different.
The following URL is for the Singapore region. If you use a model in the Beijing region, replace the URL with: https://dashscope.aliyuncs.com/api/v1/tokens?expire_in_seconds=1800
curl -X POST "https://dashscope-intl.aliyuncs.com/api/v1/tokens?expire_in_seconds=1800" \
-H "Authorization: Bearer $DASHSCOPE_API_KEY" Response example
Sample success response
{
"token":"st-****",
"expires_at":1744080369
}Response parameters
Parameter | Type | Description | Example |
token | String | The temporary API key. | st-**** |
expires_at | Number | The expiration time as a UNIX timestamp in seconds. | 1744080369 |
Sample error response
{
"code":"InvalidApiKey",
"message":"Invalid API-key provided.",
"request_id":"902fee3b-f7f0-9a8c-96a1-6b4ea25af114"
}Response parameters
Parameter | Type | Description | Example |
code | String | The error code. For more information about causes and solutions, see Error messages. | InvalidApiKey: The API key is invalid. |
message | String | The error message. | Invalid API-key provided. |
request_id | String | The request ID. | 902fee3b-f7f0-9a8c-96a1-6b4ea25af114 |
FAQ
Q: Can I manually delete a temporary API key that has been created?
A: No. A temporary API key has a fixed lifecycle and expires automatically.