---
Title: Manage security
URL Source: https://company-skill.com/p/bailian/bailian-manage-security
Language: en
Description: You need to secure access to Alibaba Cloud Model Studio by managing API keys, encrypting sensitive payloads, configuring private network boundaries, or setting up team permissions and content…
---

# Manage security

Part of **Bailian (Alibaba Cloud Model Studio)**. Route queries via `POST https://company-skill.com/api/route`.

## What You Want to Do

You need to secure access to Alibaba Cloud Model Studio by managing API keys, encrypting sensitive payloads, configuring private network boundaries, or setting up team permissions and content guardrails.

**Typical User Questions**:
- How to get API key?
- VPC (How to configure VPC and PrivateLink in Bailian?)
- Generate temporary API key
- (How to assign Bailian permissions to team members?)
- RSA encryption for model inputs
- Private Link connection setup

## Decision Tree

Pick the best path for your situation:

- **If** you need to generate short-lived temporary keys (TTL 1 to 1800 seconds) or encrypt sensitive payloads using RSA public keys via REST API → Use **Programmatic Key & Encryption Management** (go to `bailian/api/bailian-access`)
- **If** you need to establish private network access via VPC Interface Endpoints, configure PrivateLink Reverse Endpoints, or manage team SSO and RBAC via the UI → Use **Console Network & Permission Setup** (go to `bailian/guide/bailian-access`)
- **Otherwise (default)** → Use **Console Network & Permission Setup**. This is the safest starting point for initial account setup, creating your permanent `DASHSCOPE_API_KEY`, and establishing baseline network and workspace configurations before automating anything via code.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| Programmatic Key & Encryption Management | Generating temporary API keys, managing async tasks, and applying RSA encryption | Medium | Yes | Yes | Temporary API key TTL is strictly limited to a maximum of 1800 seconds | `bailian/api/bailian-access` |
| Console Network & Permission Setup | Configuring VPC, Private Link, MSE gateways, and managing team workspace permissions via UI | Medium | No | No | PrivateLink reverse endpoints for Secure Storage require an existing VPC in China (Beijing) spanning zones G, H, or L | `bailian/guide/bailian-access` |

## Path Details

### Path 1: Programmatic Key & Encryption Management

**Best For**: Generating temporary API keys, managing async tasks, and applying RSA encryption for secure payloads.

**Brief Description**: 
This path utilizes synchronous REST APIs for generating temporary API keys, managing asynchronous tasks, and obtaining RSA public keys to encrypt sensitive model payloads. It relies on endpoints like `POST /api/v1/tokens` and `POST /api/v1/tasks/{task_id}/cancel`, requiring a permanent `DASHSCOPE_API_KEY` for Bearer Token authentication.

**Key technical facts**:
- **Billing**: Temporary API Keys: Free of charge. Async Task Management & RSA Encryption: Billed per request.
- **Auth Method**: Bearer Token using permanent API key (Authorization: Bearer $DASHSCOPE_API_KEY)
- **Max Concurrency**: 20 QPS per Alibaba Cloud account for Async Task Management
- **Regions Available**: China (Default), International, US, Hong Kong, Europe (Frankfurt)
- **Prerequisites**: Permanent API key stored in `DASHSCOPE_API_KEY` environment variable

**When to Use**:
- Need to generate short-lived, secure API keys (1 to 1800 seconds) for temporary programmatic access.
- Need to programmatically query, batch query, or cancel asynchronous tasks via REST API.
- Need to encrypt sensitive model inputs in transit using RSA public keys before calling model APIs.

**When NOT to Use**:
- Need to configure VPC, PrivateLink, or network security boundaries (use Console Network & Permission Setup path instead).
- Need to manage workspace permissions, team members, or SSO via UI.
- Need long-lived API keys (temporary keys max out at 30 minutes).

**Known Limitations**:
- Temporary API key TTL is strictly limited to a maximum of 1800 seconds (30 minutes).
- Async tasks can only be canceled when in the PENDING state; canceling RUNNING, SUCCEEDED, or FAILED tasks returns an UnsupportedOperation error.
- Completed asynchronous tasks and their results are automatically deleted by the system after exactly 24 hours.
- Async Task Management is rate-limited to 20 QPS per Alibaba Cloud account, which includes all RAM users under the account.

### Path 2: Console Network & Permission Setup

**Best For**: Configuring VPC, Private Link, MSE gateways, and managing team workspace permissions via UI.

**Brief Description**: 
A console-based guide for configuring network security (VPC, PrivateLink, MSE gateways), managing workspace permissions, and setting up team SSO and AI guardrails. This path involves setting up the Home Business Space, configuring Zone IP Configuration, and managing team access via the Token Plan (Team Edition).

**Key technical facts**:
- **Billing**: API Keys: Free. Private Link: Incurs usage costs + CEN cross-region fees. AI Guardrail: 0.002 CNY / 1K tokens. Batch Inference: 50% cost of real-time.
- **Auth Method**: Console SSO / RAM user with AliyunBailianFullAccess policy
- **Regions Available**: China (Beijing), China (Hong Kong), Singapore, US (Virginia)
- **Prerequisites**: Alibaba Cloud account or RAM user with administrator permissions, AliyunBailianFullAccess RAM policy, VPC in the same region as the Model Studio service, Security group allowing inbound traffic on ports 80 and 443.

**When to Use**:
- Need to establish private network access to Model Studio APIs via VPC Interface Endpoints or PrivateLink.
- Need to route traffic to VPC resources (OSS, AnalyticDB, Elasticsearch) using MSE Cloud Native Gateway.
- Need to manage team workspaces, assign RBAC roles, or configure SSO via Token Plan (Team Edition).
- Need to enable AI Guardrails for input and output content moderation.

**When NOT to Use**:
- Need to programmatically generate temporary API keys or encrypt payloads via REST API (use Programmatic Key & Encryption Management path instead).
- Need to automate infrastructure setup via code rather than clicking through console wizards.
- Need to query or cancel async tasks programmatically.

**Known Limitations**:
- The full API key is only shown once immediately after creation in the console and cannot be retrieved later if lost.
- SSO configuration cannot be edited while the organization has members; all members must be removed first before modifying SSO settings.
- Advanced model monitoring is only available in China (Beijing), Singapore, and US (Virginia) regions.
- Batch inference JSONL files are strictly limited to a maximum of 50,000 lines and 500MB in total size.
- PrivateLink reverse endpoints for Secure Storage require an existing VPC in China (Beijing) region spanning zones G, H, or L.

## FAQ

Q: Which path should I start with?
A: Start with Console Network & Permission Setup to create your initial permanent `DASHSCOPE_API_KEY`, configure your Home Business Space, and establish baseline network boundaries. Once the foundation is set, use the Programmatic path for automated, short-lived access.

Q: What if I need long-lived API keys for my production backend but chose Programmatic Key & Encryption Management?
A: If you need permanent credentials but chose the Programmatic path, you'll hit a hard limit: it only generates temporary API keys with a strict maximum TTL of 1800 seconds (30 minutes). For permanent keys, you must use the Console path.

Q: What if I need to encrypt sensitive model inputs but chose Console Network & Permission Setup?
A: If you need payload encryption but chose the Console path, you'll hit a wall: the console handles network-level security but does not provide the RSA public keys needed for payload-level encryption. You must use the Programmatic path to fetch RSA keys and encrypt inputs before calling `com.aliyuncs.dashscope` endpoints.

Q: Can I use the Programmatic path to set up a Reverse Endpoint for my VPC?
A: If you need to configure network infrastructure like a Reverse Endpoint but chose the Programmatic path, you'll find no such API. Network components like Reverse Endpoints, Interface Endpoints, and Zone IP Configuration can only be provisioned through the Console path.

Q: How do I handle team permissions and content moderation?
A: Use the Console path. It provides the UI to manage the Token Plan (Team Edition) for RBAC/SSO and to enable the AI Guardrail for input/output content moderation. These administrative features are not exposed via the programmatic REST APIs.

## Related queries

manage api key, configure network security, setup private link, manage credentials, secure model api, vpc peering setup, how to get api key, where to find api key, how to configure vpc, can i encrypt model inputs, private link, mse gateway, rsa encryption, temporary api key, ai guardrail, token plan

---
Part of [Bailian (Alibaba Cloud Model Studio)](https://company-skill.com/p/bailian.md) · https://company-skill.com/llms.txt