tencent cloud

Security Token Service

DocumentationSecurity Token ServiceAPI DocumentationSTS APIsGetFederationToken

GetFederationToken

PDF
Focus Mode
Font Size
Last updated: 2026-04-24 15:38:31

1. API Description

Domain name for API request: sts.intl.tencentcloudapi.com.

This API is used to provide instructions.

This API is used to return a set of temporary access credentials. A typical application scenario is for proxy applications to centrally request temporary access credentials and distribute them to other distributed terminal applications within the enterprise network, such as terminal applications uploading files to COS. This API only supports calls with permanent keys.

This API is used to implement best practices.

  1. This API is used to recommend reusing temporary access credentials within their validity period to avoid rate limiting due to increased business request rates.
  2. This API is used to recommend granting temporary access credentials with the principle of least privilege.
  3. This API is used to recommend not using the root account for permanent keys calling the API.

A maximum of 600 requests can be initiated per second for this API.

We recommend you to use API Explorer
Try it
API Explorer provides a range of capabilities, including online call, signature authentication, SDK code generation, and API quick search. It enables you to view the request, response, and auto-generated examples.

2. Input Parameters

The following request parameter list only provides API request parameters and some common parameters. For the complete common parameter list, see Common Request Parameters.

Parameter Name Required Type Description
Action Yes String Common Params. The value used for this API: GetFederationToken.
Version Yes String Common Params. The value used for this API: 2018-08-13.
Region Yes String Common Params. For more information, please see the list of regions supported by the product.
Name Yes String The customizable name of the caller, consisting of letters
Policy Yes String Note:

The policy syntax refers to CAM's Syntax Logic.
The policy cannot contain the principal element.
This parameter needs to be URL-encoded. The server will URL-decode this field and grant temporary access credentials based on the processed policy. Please pass the parameter according to the specification.
DurationSeconds No Integer The validity period of temporary credentials in seconds. Default value: 1,800s. Maximum value for a root account: 7,200s. Maximum value for a sub-account: 129,600s.

3. Output Parameters

Parameter Name Type Description
Credentials Credentials Temporary access credentials
ExpiredTime Integer Temporary access credentials expiration time. A Unix timestamp will be returned which is accurate to the second.
Expiration String Temporary access credentials expiration time in UTC time in ISO 8601 format.
Note: this field may return null, indicating that no valid values can be obtained.
RequestId String The unique request ID, generated by the server, will be returned for every request (if the request fails to reach the server for other reasons, the request will not obtain a RequestId). RequestId is required for locating a problem.

4. Example

Example1 Obtaining Temporary Access Credentials

This example shows you how to grant the temporary access credentials with the following permissions:
{"version":"2.0","statement":[{"effect":"allow","action":["name/cos:PutObject"],"resource":["qcs::cos:ap-beijing:uid/123456:prefix//123456/bucketA/*"]}]}

Note: As the GET request URL-encodes all parameters, the Policy parameter in the following example has been URL-encoded twice.

Input Example

https://sts.intl.tencentcloudapi.com/?Action=GetFederationToken
&Name=SUN
&Policy=%257B%2522version%2522%3A%25222.0%2522%2C%2522statement%2522%3A%255B%257B%2522effect%2522%3A%2522allow%2522%2C%2522action%2522%3A%255B%2522name%2Fcos%3APutObject%2522%255D%2C%2522resource%2522%3A%255B%2522qcs%3A%3Acos%3Aap-beijing%3Auid%2F123456%3Aprefix%2F%2F123456%2FbucketA%2F%2A%2522%255D%257D%255D%257D
&<Common request parameters>

Output Example

{
    "Response": {
        "Credentials": {
            "Token": "kTRt***",
            "TmpSecretId": "AKID***",
            "TmpSecretKey": "Eo28***"
        },
        "Expiration": "2023-06-14T05:06:57Z",
        "ExpiredTime": 1686719217,
        "RequestId": "59a5e07e-4147-4d2e-a808-dca76ac5b3fd"
    }
}

5. Developer Resources

SDK

TencentCloud API 3.0 integrates SDKs that support various programming languages to make it easier for you to call APIs.

Command Line Interface

6. Error Code

The following only lists the error codes related to the API business logic. For other error codes, see Common Error Codes.

Error Code Description
InternalError.DbError Database error.
InternalError.EncryptError Encryption failed.
InternalError.GetAppIdError Failed to get the appid.
InternalError.GetSeedTokenError Failed to obtain the token.
InternalError.SystemError Internal system error, such as network error.
InvalidParameter.AccountNotAvaliable The account does not exist or is unavailable.
InvalidParameter.ExtendStrategyOverSize The extension policy is too large.
InvalidParameter.GrantOtherResource Unauthorized access to the resource.
InvalidParameter.OverTimeError The expiration time exceeds the threshold.
InvalidParameter.ParamError Invalid parameter.
InvalidParameter.PolicyTooLong The policy is too long.
InvalidParameter.ResouceError Six-segment resource description error.
InvalidParameter.StrategyFormatError Policy syntax error.
InvalidParameter.StrategyInvalid Invalid policy.
InvalidParameter.TempCodeNotAvaliable Invalid temporary code.
ResourceNotFound.RoleNotFound The role corresponding to the account does not exist.
UnauthorizedOperation Unauthorized operation.
UnsupportedOperation Unsupported operation.
Previous Topic: ResponsesNext Topic: GetCallerIdentity

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback