General Description

Updated at：2025-10-27

API requests adhere to the HTTP protocol and utilize region-specific domain names. The domain format is cce.{region}.baidubce.com. For instance, cce.bj.baidubce.com. Data is exchanged in JSON format, and all request/response body content is encoded in UTF-8.

Certification

Users who use the Cloud Container Engine (CCE) API need to complete certification. Those who have not passed certification can go to the certification under security certification in the Baidu Open Cloud Official Website Console for certification.

API authentication mechanism

The Access Key and request signature mechanism are uniformly adopted for all API security authentication. Access Key consists of an Access Key ID and a Secret Access Key, both of which are strings. For each HTTP request, use the algorithm described below to generate an authentication string. Submit the certification string in the Authorization header. The server verifies the correctness of the authentication string based on the generation algorithm. The certification string format is bce-auth-v{version}/{accessKeyId}/{timestamp}/{expirationPeriodInSeconds}/{signedHeaders}/{signature}.

The version should be a positive integer.
The timestamp is the UTC time when the signature is created.
The expirationPeriodInSeconds parameter defines the signature's validity duration.
signedHeaders refers to the headers included in the signature algorithm. They are separated by semicolons (e.g., host;x-bce-date) and arranged in lexicographical order. (This API signature involves only the host and x-bce-date headers.)
The Signature is a 256-bit hash represented as a 64-character lowercase hex string.

When Baidu AI Cloud receives a user's request, the system will use the same SK and identical authentication mechanism to generate an authentication string, and then compare it with the authentication string included in the user's request. If the authentication strings are the same, the system considers that the user possess the specified operation permission and proceeds with the relevant executions. If the authentication strings differ, the system will skip this operation and returns an error code. For detailed information on the authentication mechanism, please refer to [Authentication Mechanism](Reference/Authentication mechanism/Introduction.md).

Communication protocol

CCE API supports both HTTP and HTTPS protocols. For better data security, HTTPS is recommended.

Request structure description

The data exchange format is JSON, and all request/response body contents are encoded in UTF-8.
Request parameters include the following 4 types:

Parameter type	Description
URI	It is usually used to specify the operation entity, such as: POST /v{version}/instance/{instanceId}
Query	Request parameters carried in the URL
HEADER	It is passed in through HTTP header fields, such as: x-bce-date
RequestBody	Request data body organized in JSON format

Response structure description

Response values are in two forms:

Response content	Description
HTTP STATUS CODE	Such as 200, 400, 403, 404, etc.
ResponseBody	Response data body organized in JSON format.

API version number

Parameters	Types	Parameter location	Description	Required or not
version	String	URL parameter	API version No. Current API version is v2.	Yes

Definition of password encryption transmission specification

All API parameters related to passwords must be encrypted; plaintext transmission is strictly prohibited. Passwords are encrypted using the AES 128-bit encryption algorithm, with the first 16 bits of the SK as the encryption key. The resulting binary byte stream from the encryption must then be converted to a hexadecimal format and transmitted to the server as a string. The process is as follows:

byte[] bCiphertext = AES(plaintext, SK)
String strHex = HexStr(bCiphertext)

Typesetting conventions

Typesetting format	Meaning
< >	Variable
[ ]	Optional
{ }	Mandatory

Monospace font Courier New	Screen output

Service domain

Kubeconfig Related Interfaces

CCE CCE