In addition to using an authorization header, you can add signature information to a URL. It enables you to forward a URL to the third party for an authorized access.

Sample code

Python sample code used to add a signature to a URL:

import base64
import hmac
import sha
import urllib
h ="OtxrzxIsfpFjA7SwPzILwy8Bw21TLhquhboDYROV",
urllib.quote (base64.encodestring(h.digest()).strip())

OSS SDK provides the method for adding a signature into an URL. For the detailed usage, see Authorized access in the OSS SDK Reference.

To add a signature to the OSS SDK URL, see the following table.

SDK URL signature method Implementation file
Java SDK OSSClient.generatePresignedUrl
Python SDK Bucket.sign_url
Net SDK OssClient.GeneratePresignedUri OssClient.cs
PHP SDK OssClient.signUrl OssClient.php
JavaScript SDK signatureUrl object.js
C SDK oss_gen_signed_url oss_object.c


URL signature example:**9l&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D

The URL signature must include at least the following three parameters: Signature, Expires, and OSSAccessKeyId.

  • The Expires  parameter indicates the time-out period of a URL. The value of this parameter is UNIX time (which is the number of seconds that have elapsed since 00:00:00 UTC, January 1, 1970. For more information, see Wikipedia). If the time when OSS receives the URL request is later than the value of the Expires parameter and is included in the signature, an error code request timed-out is returned. For example, if the current time is 1141889060, to create a URL that is scheduled to expire in 60 seconds, you can set the value of Expires to 1141889120.The valid period of a URL is 3,600 seconds by default and 64,800 seconds in maximum.
  • OSSAccessKeyId refers to the AccessKeyID in the key.
  • Signature  indicates the signature information. For all requests and header parameters that OSS supports, the algorithm for adding a signature to a URL is basically the same as that of Adding a signature to a header.
    Signature = urlencode(base64(hmac-sha1(AccessKeySecret,
              VERB + "\n" 
              + CONTENT-MD5 + "\n" 
              + CONTENT-TYPE + "\n" 
              + EXPIRES + "\n" 
              + CanonicalizedOSSHeaders
              + CanonicalizedResource)))

    The difference is listed as follows:

    • When a signature is added to a URL, the Expires parameter replaces the Date parameter.
    • Signatures cannot be included in a URL and the Header at the same time.
    • If more than one incoming Signature, Expires, or AccessKeyId value is available, the first of each incoming value is used.
    • Whether the request time is later than the Expires time, is verified first before verifying the signature.
    • When you put the signature string into a URL, remember to perform the UrlEncode for a URL.
  • When you add a signature to a temporary user URL, the security-token must also be entered. The format is as follows:**9l&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D&security-token=SecurityToken

Detail analysis

  • If you adopt the approach of adding a signature to a URL, the authorized data is exposed on the Internet before the authorization period expires. We recommend that you must assess the usage risks in advance.
  • The PUT and GET requests both support adding a signature in a URL.
  • When a signature is added to a URL, the sequence of Signature, Expires, and AccessKeyId can be swapped. If one or more Signature, Expires, or AccessKeyId parameter is missing, the error 403 Forbidden is returned. Error code: AccessDenied.
  • If the current access time is later than the Expires time set in the request, the error 403 Forbidden is returned. Error code: AccessDenied.
  • If the format of the Expires time is incorrect, the error 403 Forbidden is returned. Error code: AccessDenied.
  • If the URL includes one or more Signature, Expires, or AccessKeyId parameter and the header also includes signature information, the error 400 Bad Request is returned. Error code: InvalidArgument.
  • When the signature string is generated, the Date parameter is replaced by the Expires parameter, but the headers such as content-type and content-md5 defined in the preceding section are still included. (Though the Date request header still exists in the request, you can skip adding it to the signature string.)