The first time you access a third-party application using an Alibaba Cloud account, a Resource Access Management (RAM) user, or a RAM role, you must install and authorize the application.
Prerequisites
To perform the authorization operations in this topic, you must use an Alibaba Cloud account or a RAM administrator. A RAM administrator is a RAM user that has the AliyunRAMFullAccess permission.
Grant authorization and install a third-party application
The first time you access a third-party application, carefully review the authorization scopes, which include required and optional scopes. Then, click Authorize to grant the permissions. The application is installed during the authorization process.
After an Alibaba Cloud account or a RAM administrator authorizes a third-party application, RAM users under that Alibaba Cloud account do not need to authorize the application again.
After authorization is complete, the application obtains your identity and permission information. If the authorization scope includes permissions for cloud products, the third-party application can use your identity to access Alibaba Cloud resources.
Required scope
The required scope is an OAuth authorization scope defined by the third-party application. This scope contains the data or permissions that the application must obtain. The required scope is selected by default and cannot be cleared. If you do not want to grant the permissions in this scope, you must reject the authorization. If rejecting the authorization prevents the application from functioning correctly, contact the application provider for assistance.
Optional scope
The optional scope is an OAuth authorization scope defined by the third-party application. This scope contains data or permissions that the application requests to obtain. You can decide whether to grant these permissions based on your requirements.
View an authorization
After a third-party application is authorized, you can view its name, ID, authorization time, and authorization scope in the RAM console.
Log on to the RAM console.
In the navigation pane on the left, choose .
On the Third-party Application tab, click the name of the target application to view its authorization information.
Revoke an authorization
If you no longer want a third-party application to have access, you can revoke its authorization.
Log on to the RAM console.
In the navigation pane on the left, choose .
On the Third-party Application tab, find the target application and click Delete Application in the Actions column.
In the Delete Application dialog box, click Delete Application.
Re-authorize an application
If you want to change the authorization scope, you must first revoke the authorization. Then, access the third-party application again to start a new authorization process.
Proactively install official applications
Official applications are also a type of third-party application. When you first access an official application, you must complete the authorization and installation process described in this topic. Alternatively, a RAM administrator can proactively install the official application in the RAM console. After installation, the RAM administrator must assign users to the official application. Assigned users still need to grant authorization the first time they access the application. This allows the application to retrieve their identity and permission information.
The procedure to proactively install an official application is as follows:
Log on to the RAM console as a RAM administrator.
In the navigation pane on the left, choose .
On the Third-party Application tab, click Install Official Application.
In the Install Official Application dialog box, select the target official application and click OK.
NoteFor a list of supported official applications, see the console. For example, OpenAPI MCP Server.