# idaas-model

Part of **IDAAS**

<!-- intent-backlink:auto -->

> 💡 **Path Selection**: This skill is one implementation path for [Set up secure machine-to-machine (M2M) access](../../intent/idaas-secure-access/SKILL.md). If you're unsure which path to take, check the routing skill first.

# IDaaS Secure AI Access Console Guide

## Operations Overview

| Operation | Console Entry | Prerequisites | Description |
|------|-----------|---------|------|
| Integrate IDaaS M2M with AI Gateway for Keyless Access to Model Studio | Console > IDaaS > Instance Management > M2M Management | An active Alibaba Cloud account, access to the IDaaS console, an existing Model Studio API key, network connectivity to public internet for testing, basic understanding of OAuth 2.0 and JWT concepts | Set up secure, keyless access to Model Studio using IDaaS M2M integration with JWT tokens |

## Step-by-Step Instructions

### Integrate IDaaS M2M with AI Gateway for Keyless Access to Model Studio

**Navigation**: Console > IDaaS > Instance Management > M2M Management

**Prerequisites**:
- An active Alibaba Cloud account
- Access to the IDaaS console
- An existing Model Studio API key
- Network connectivity to public internet for testing
- Basic understanding of OAuth 2.0 and JWT concepts

1. Log on to the IDaaS console and switch to the target region  
   - Element: **Log on to the IDaaS console** (link) — top navigation bar  

2. Create an IDaaS instance  
   - Element: **Create Instance** (button) — right side of the page  

3. Open the EIAM instance management backend  
   - Element: **Open Console** (button) — Actions column in the EIAM instance list  

4. Enable M2M Management in the EIAM instance  
   - Element: **Upgrade** (button) — upgrade dialog box  

5. Create an M2M client application  
   - Element: **Create** (button) — M2M Applications tab  

6. Generate a client secret for the M2M client application  
   - Element: **Create Client Secret** (button) — Certificates section  

7. Copy the client_id and client_secret values  
   - Element: **Show** (button) — next to client_secret field  

8. Create an M2M server application  
   - Element: **Create** (button) — M2M Applications tab  

9. Set the Resource Server Identifier and add a permission scope  
   - Element: **Add Permission** (button) — Permissions section  

10. Assign the added permission to the M2M Client  
    - Element: **OK** (button) — permission assignment panel  

11. Copy the JWKS endpoint URL from the M2M server application  
    - Element: **Sync IDaaS Provision JWKS Endpoint** (text_input) — Login Methods tab  

12. Go to the AI Gateway console and select the target region  
    - Element: **AI Gateway console** (link) — top navigation bar  

13. Create a consumer in AI Gateway  
    - Element: **Create Consumer** (button) — upper-left corner of Consumers list page  

14. Configure JWT authentication for the consumer  
    - Element: **JWT** (radio) — Authentication Method section  

15. Set the JWKS URL to the one copied from the M2M server application  
    - Element: **JWKS URL** (text_input) — JWT configuration panel  

16. Set the Consumer Identifier in JWKS Payload to 'scope' with the value from the M2M server application  
    - Element: **Consumer Identifier in JWKS Payload** (text_input) — JWT configuration panel  

17. Authorize the Model API for the consumer  
    - Element: **Authorize** (button) — Consumer Authorization tab  

18. Verify the configuration using the debugger in AI Gateway  
    - Element: **Debugging** (button) — upper-right corner of Model API details page  

19. Add an Authorization header with Bearer token in the debugger  
    - Element: **Add Parameters** (button) — Header section  
    - Notes: Ensure there is exactly one space between 'Bearer' and the token value

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Instance Description | text_input | Yes | — | A custom description for the IDaaS instance |
| Privacy Agreement | checkbox | Yes | — | Agreement checkbox for instance privacy settings |
| Application Name | text_input | Yes | — | Custom name for the M2M client or server application |
| Resource Server Identifier | text_input | Yes | — | Unique identifier for the resource server (e.g., cloud:idaas:aigateway:alibabacloud:<account-id>) |
| Scope Name | text_input | Yes | — | Name for the permission scope |
| Scope Value | text_input | Yes | — | Value for the permission scope |
| Consumer Name | text_input | Yes | — | Custom name for the consumer in AI Gateway |
| Status | dropdown | Yes | Enabled, Disabled | The status of the consumer (enabled or disabled) |
| Authentication Type | dropdown | Yes | API Key, JWT, HMAC | Authentication method for the consumer |
| JWKS URL | text_input | Yes | — | Public key endpoint URL from the M2M server application |
| Consumer Identifier in JWKS Payload | form_field | Yes | — | Configuration for identifying the consumer in the JWT payload |

## FAQ

Q: Where can I find the JWKS endpoint URL needed for AI Gateway configuration?  
A: The JWKS endpoint URL is displayed in the **Sync IDaaS Provision JWKS Endpoint** field under the Login Methods tab of your M2M server application in the IDaaS console.

Q: What permissions are required to perform these operations?  
A: You need administrative access to both the IDaaS console (to manage EIAM instances and M2M applications) and the AI Gateway console (to create consumers and authorize APIs).

Q: Can I modify the consumer’s authentication method after creation?  
A: Yes, you can edit the consumer in AI Gateway and change the authentication method, but ensure the new method aligns with your client’s capability and security policy.

Q: What happens if I leave the Scope Value empty when creating a permission?  
A: The Scope Value is required; leaving it empty will prevent successful permission assignment and subsequent token validation in AI Gateway.

Q: Is the default AI Gateway domain suitable for production use?  
A: No. The default public domain name provided by AI Gateway has a daily call limit of 1,000 and is intended for testing only. Use a custom domain for production workloads.

## Pricing & Billing

### Billing Model
Per-request pricing based on Model Studio usage. The integration itself does not incur additional costs beyond standard Model Studio API usage. AI Gateway instance pricing depends on the selected specification and region.

### Price Reference
- Input price: varies by model  
- Output price: varies by model  
- Other price: No additional charges for this integration pattern

### Free Tier
Not mentioned

### Billing Notes
The default public domain name provided by AI Gateway has a daily call limit of 1,000. It is for testing only and must not be used in production.