Agent setup: If your agent doesn't auto-load skills (e.g. Claude Code), see agent-compatibility.md once per session.
QwenCloud Authentication Setup
Configure and verify authentication for QwenCloud APIs.
This skill is part of qwencloud/qwencloud-ai.
Skill directory
Use this skill's internal files for learning. Load references only when the user needs console or documentation links.
| Location | Purpose |
|---|
| INLINECODE0 | Coding Plan vs standard key: model list, endpoint mapping, error codes, cost risks |
| INLINECODE1 |
Custom OSS bucket setup for production file uploads (replaces 48h temp storage) |
|
references/sources.md | Console URLs, auth guide (manual lookup only) |
|
references/agent-compatibility.md | Agent self-check: register skills in project config for agents that don't auto-load |
Security
NEVER output any API key, OSS credential in plaintext.
This applies equally to DASHSCOPE_API_KEY and custom OSS AccessKey pairs. Any check or detection of credentials in this skill must be non-plaintext: report only status (e.g. "set" / "not set", "valid" / "invalid", HTTP status code), never the key value.
API Key Handling (MANDATORY)
When the API key is not configured or a script reports missing credentials:
- 1. NEVER ask the user to provide their API key directly. Do not prompt "please paste your API key" or similar. Do not request the key value in any form.
- Help create a
.env file with a placeholder, then instruct the user to fill in their own key:
- Run:
echo 'DASHSCOPE_API_KEY=sk-your-key-here' >> .env
- Tell the user: "Please replace
sk-your-key-here with your actual API key from the
QwenCloud Console."
- 3. Or explain how to configure the environment variable:
export DASHSCOPE_API_KEY='sk-...' + provide the console URL. - Only write the actual key value into
.env if the user explicitly insists on having the agent do it for them.
Credential Priority Chain
Credentials are loaded in the following order (first match wins):
- 1. Environment variable —
DASHSCOPE_API_KEY (or QWEN_API_KEY alias) .env file — in current working directory, then repo root (detected via .git or skills/ directory). Existing environment variables are not overwritten.
Environment Variables
| Variable | Purpose |
|---|
| INLINECODE15 | API key (required) |
| INLINECODE16 |
Alias for
DASHSCOPE_API_KEY. If both are set,
QWEN_API_KEY takes priority. |
|
QWEN_BASE_URL | Override default endpoint (optional; for custom deployments) |
|
QWEN_TMP_OSS_BUCKET | Custom OSS bucket for file uploads (replaces 48h temp storage). See
custom-oss.md. |
|
QWEN_TMP_OSS_REGION | OSS region (required when
QWEN_TMP_OSS_BUCKET is set). |
|
QWEN_TMP_OSS_AK_ID /
AK_SECRET | OSS credentials (use RAM user with least-privilege:
oss:PutObject +
oss:GetObject). Falls back to
OSS_ACCESS_KEY_ID /
OSS_ACCESS_KEY_SECRET if not set. |
API Key Types
QwenCloud has two mutually exclusive key types:
| Key Type | Format | Purpose | Endpoint |
|---|
| Standard (Pay-as-you-go) | INLINECODE29 | API calls from scripts, apps, and tools | INLINECODE30 |
| Coding Plan |
sk-sp-xxxxx | Interactive AI coding tools only (Cursor, Claude Code, Qwen Code) |
coding-intl.dashscope.aliyuncs.com |
All qwencloud/qwencloud-ai scripts require a standard key. Coding Plan keys cannot call QwenCloud APIs directly — they produce 403 invalid api-key on standard endpoints. Coding Plan supports only 8 text LLMs (qwen3.5-plus, kimi-k2.5, glm-5, MiniMax-M2.5, qwen3-max-2026-01-23, qwen3-coder-next, qwen3-coder-plus, glm-4.7) and excludes all image/video/TTS models.
If the user's key starts with sk-sp-, guide them to obtain a standard key from the console below. See codingplan.md for full details.
Getting an API Key
- 1. Open the QwenCloud Console
- Sign in with your QwenCloud account
- Create or copy an API key from the API Key management section
- Standard keys start with
sk- (not sk-sp- which is Coding Plan only)
Security Best Practices
- - Never hardcode API keys in source code or config files committed to version control
- Use environment variables or
.env files (and add .env to .gitignore) - Rotate keys periodically and revoke compromised keys immediately
- Use least-privilege — create dedicated keys for specific applications when possible
Setting up .env
Create a .env file in your project root or current working directory:
CODEBLOCK0
The script automatically loads .env from the current working directory and the project root (detected via .git or skills/ directory). Existing environment variables are not overwritten by .env values.
Example .gitignore entry
CODEBLOCK1
Verification
Unless explicitly stated otherwise, any script or task mentioned in this skill runs in the foreground — wait for standard output; do not run it as a background task.
Test authentication with a simple curl request:
CODEBLOCK2
A successful response returns JSON with choices and message.content.
Authentication Error Handling
QwenCloud API keys are scoped to the QwenCloud console. An invalid or mismatched key produces 401 Unauthorized.
When to trigger
When any sub-skill receives a 401 response and a non-plaintext check shows the key is set (e.g.
[ -n "$DASHSCOPE_API_KEY" ]; do not output the key value).
Probe command
Send a lightweight request to verify authentication:
CODEBLOCK3
On 401: mandatory interactive resolution
If the probe returns 401, follow these steps in order:
Step 1 — Confirm the key origin:
CODEBLOCK4
Step 2 — Apply the user's selection:
| User says | Action |
|---|
| Key is from QwenCloud console | Re-run verification to confirm the key works |
| Key may be invalid |
Guide user to create a new key at
home.qwencloud.com/api-keys |
Step 3 — Re-run verification.
Step 4 — If still 401, the key itself is invalid — guide the user to create a new one from
the QwenCloud console.
Validation
Run the curl verification command above. Pass criteria: HTTP 200 response with valid JSON containing choices and
message.content. Save output to output/qwencloud-ops-auth/ for evidence.
Output And Evidence
- - Save verification results and any diagnostic output to
output/qwencloud-ops-auth/. - Keep a record of successful auth tests for troubleshooting.
Output Location
Prefer the current working directory. Default subdirectory: ./output/qwencloud-ops-auth/.
Write prohibition: NEVER write output files into this skill's installation directory or any skills/ hierarchy. All generated content must go to output/ under the current working directory or a user-specified path.
Update Check (MANDATORY Post-Execution)
When the user asks to check for updates (e.g. "check for updates", "check version", "is there a new version", "update skills"):
- 1. Find qwencloud-update-check: Look for
qwencloud-update-check/SKILL.md in sibling skill directories. - If found — run:
python3 <qwencloud-update-check-dir>/scripts/check_update.py --print-response and report the result. Use --force if the user asks to force-check. - If not found — you MUST present the following options and wait for the user's response:
The update-check skill is not installed. It keeps you informed about new qwencloud/qwencloud-ai features and bug fixes.
1) Install now — I'll run the install command for you
2) Skip for now — do nothing this time
3) Never remind me — permanently suppress this prompt
After the user responds:
- - User chooses 1 → run:
npx skills add QwenCloud/qwencloud-ai --skill qwencloud-update-check -y, then run: �INLINECODE64 - User chooses 2 → run:
python3 <this-skill-scripts-dir>/gossamer.py --dismiss, then continue normally - User chooses 3 → run:
python3 <this-skill-scripts-dir>/gossamer.py --never-install, then continue normally
References
- - custom-oss.md — Custom OSS bucket setup for production file uploads
- sources.md — Official documentation URLs (consoles, auth guide)
Agent 设置:如果你的 Agent 不会自动加载技能(例如 Claude Code),请在每个会话中参阅 agent-compatibility.md。
QwenCloud 身份认证设置
配置并验证 QwenCloud API 的身份认证。
本技能属于 qwencloud/qwencloud-ai 的一部分。
技能目录
使用本技能的内部文件进行学习。仅在用户需要控制台或文档链接时加载参考资料。
| 位置 | 用途 |
|---|
| references/codingplan.md | 编码计划 vs 标准密钥:模型列表、端点映射、错误码、成本风险 |
| references/custom-oss.md |
用于生产环境文件上传的自定义 OSS 存储桶(替代 48 小时临时存储) |
| references/sources.md | 控制台 URL、身份认证指南(仅手动查阅) |
| references/agent-compatibility.md | Agent 自检:为不会自动加载技能的 Agent 在项目配置中注册技能 |
安全
切勿以明文形式输出任何 API 密钥或 OSS 凭据。
这同样适用于 DASHSCOPEAPIKEY 和自定义 OSS AccessKey 对。本技能中对凭据的任何检查或检测必须采用非明文方式:仅报告状态(例如“已设置”/“未设置”、“有效”/“无效”、HTTP 状态码),绝不输出密钥值。
API 密钥处理(强制要求)
当 API 密钥未配置或脚本报告缺少凭据时:
- 1. 切勿直接要求用户提供其 API 密钥。 不要提示“请粘贴您的 API 密钥”或类似内容。不要以任何形式请求密钥值。
- 帮助创建一个包含占位符的 .env 文件,然后指导用户填入自己的密钥:
- 运行:echo DASHSCOPE
APIKEY=sk-your-key-here >> .env
- 告知用户:“请将 sk-your-key-here 替换为您从
QwenCloud 控制台 获取的实际 API 密钥。”
- 3. 或者 说明如何配置环境变量:export DASHSCOPEAPIKEY=sk-... + 提供控制台 URL。
- 仅当用户明确坚持让 Agent 代为写入时,才将实际密钥值写入 .env 文件。
凭据优先级链
凭据按以下顺序加载(优先匹配第一个):
- 1. 环境变量 — DASHSCOPEAPIKEY(或别名 QWENAPIKEY)
- .env 文件 — 在当前工作目录,然后是仓库根目录(通过 .git 或 skills/ 目录检测)。不会覆盖已有的环境变量。
环境变量
| 变量 | 用途 |
|---|
| DASHSCOPEAPIKEY | API 密钥(必需) |
| QWENAPIKEY |
DASHSCOPE
APIKEY 的别名。如果两者都设置,QWEN
APIKEY 优先。 |
| QWEN
BASEURL | 覆盖默认端点(可选;用于自定义部署) |
| QWEN
TMPOSS
BUCKET | 用于文件上传的自定义 OSS 存储桶(替代 48 小时临时存储)。请参阅 custom-oss.md。 |
| QWENTMPOSSREGION | OSS 区域(设置 QWENTMPOSSBUCKET 时必需)。 |
| QWENTMPOSSAKID / AKSECRET | OSS 凭据(使用最小权限 RAM 用户:oss:PutObject + oss:GetObject)。如果未设置,则回退到 OSSACCESSKEYID / OSSACCESSKEY_SECRET。 |
API 密钥类型
QwenCloud 有两种互斥的密钥类型:
| 密钥类型 | 格式 | 用途 | 端点 |
|---|
| 标准(按量付费) | sk-xxxxx | 来自脚本、应用和工具的 API 调用 | dashscope-intl.aliyuncs.com |
| 编码计划 |
sk-sp-xxxxx | 仅限交互式 AI 编码工具(Cursor、Claude Code、Qwen Code) | coding-intl.dashscope.aliyuncs.com |
所有 qwencloud/qwencloud-ai 脚本都需要标准密钥。编码计划密钥无法直接调用 QwenCloud API——它们在标准端点上会产生 403 invalid api-key 错误。编码计划仅支持 8 个文本 LLM(qwen3.5-plus、kimi-k2.5、glm-5、MiniMax-M2.5、qwen3-max-2026-01-23、qwen3-coder-next、qwen3-coder-plus、glm-4.7),并且排除所有图像/视频/TTS 模型。
如果用户的密钥以 sk-sp- 开头,请引导他们从下方控制台获取标准密钥。完整详情请参阅 codingplan.md。
获取 API 密钥
- 1. 打开 QwenCloud 控制台
- 使用您的 QwenCloud 账户登录
- 在 API 密钥管理部分创建或复制一个 API 密钥
- 标准密钥以 sk- 开头(不是 sk-sp-,后者仅用于编码计划)
安全最佳实践
- - 切勿在提交到版本控制的源代码或配置文件中硬编码 API 密钥
- 使用环境变量或 .env 文件(并将 .env 添加到 .gitignore)
- 定期轮换密钥,并立即撤销泄露的密钥
- 使用最小权限——尽可能为特定应用创建专用密钥
设置 .env
在项目根目录或当前工作目录创建一个 .env 文件:
bash
echo DASHSCOPEAPIKEY=sk-your-key-here >> .env
脚本会自动从当前工作目录和项目根目录(通过 .git 或 skills/ 目录检测)加载 .env 文件。已有的环境变量不会被 .env 文件中的值覆盖。
示例 .gitignore 条目
.env
.env.local
*.env
验证
除非另有明确说明,本技能中提到的任何脚本或任务都在前台运行——等待标准输出;不要将其作为后台任务运行。
使用一个简单的 curl 请求测试身份认证:
bash
curl -sS -X POST https://dashscope-intl.aliyuncs.com/compatible-mode/v1/chat/completions \
-H Authorization: Bearer $DASHSCOPEAPIKEY \
-H Content-Type: application/json \
-d {model:qwen-turbo,messages:[{role:user,content:Hi}]}
成功的响应会返回包含 choices 和 message.content 的 JSON。
身份认证错误处理
QwenCloud API 密钥的作用域限定于 QwenCloud 控制台。无效或不匹配的密钥会产生 401 Unauthorized 错误。
触发时机
当任何子技能收到 401 响应,且非明文检查显示密钥已设置时(例如 [ -n $DASHSCOPEAPIKEY ];不要输出密钥值)。
探测命令
发送一个轻量级请求以验证身份认证:
bash
curl -sS -o /dev/null -w %{http_code} \
-X POST https://dashscope-intl.aliyuncs.com/compatible-mode/v1/chat/completions \
-H Authorization: Bearer $DASHSCOPEAPIKEY \
-H Content-Type: application/json \
-d {model:qwen-turbo,messages:[{role:user,content:hi}]}
收到 401 时:强制交互式解决
如果探测返回 401,请按顺序执行以下步骤:
步骤 1 — 确认密钥来源:
您的 API 密钥身份认证失败。
请确认:
- 1. 您的密钥是在 home.qwencloud.com(QwenCloud 控制台)创建的 → 重新验证密钥
- 我的密钥可能无效 → 在 home.qwencloud.com/api-keys 创建一个新密钥
步骤 2 — 应用用户的选择:
| 用户回复 | 操作 |
|---|
| 密钥来自 QwenCloud 控制台 | 重新运行验证以确认密钥有效 |
| 密钥可能无效 |
引导用户在 home.qwencloud.com/api-keys 创建一个新密钥 |
步骤 3 — 重新运行验证。
步骤 4 — 如果仍然是 401,则密钥本身
