To ensure the security of your API, Alibaba Cloud uses the signature in the request to verify the identity of the person who calls the API. When you call an API by using HTTP or HTTPS, the request must include the signature information.

Overview

For an RPC API, you must add the signature to the API request in the following format:

https://Endpoint/?SignatureVersion=1.0&SignatureMethod=HMAC-SHA1&Signature=CT9X0VtwR86fNWSnsc6v8YGOjuE%3D&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf
The following information is displayed:
  • SignatureMethod: The hash method used to calculate the signature. HMAC-SHA1 is supported.
  • SignatureVersion: The version of the signature. The current version is 1.0.
  • SignatureNonce: A unique random number. This parameter is used to prevent replay attacks. You must use different random numbers for different requests. We recommend that you use universally unique identifiers (UUIDs).
  • Signature: The signature generated after the request has been symmetrically encrypted by using the AccessKey Secret.

Signature method

The authorization algorithm follows the RFC 2104 and HMAC-SHA1 rules. The calculated HMAC value is the signature. Different APIs contain different parameters, which result in different HMAC signatures.

Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign)) )
To calculate the signature, perform the following operations:
  1. Construct the string to be signed
    1. Use the request parameters to construct a canonicalized query string.
      1. Sort all request parameters (including the common request parameters and user-defined parameters for the given request interfaces described in this document, excluding the Signature parameter mentioned in common request parameters) alphabetically by the parameter name.

        When you use the GET method to submit a request, the request parameters are included as a part of the URI. The request parameters in the URI are placed after a question mark (?) and separated by ampersands (&).

      2. Parameter names and values in the request URL must be encoded in UTF-8. The encoding rules are as follows:
        • For A- Z, A- Z, 0-9, hyphen (-), underscore (_), period (.), and tilde (~).

        • Other characters are encoded in the %XYformat, where XY is the hexadecimal representation of the character in ASCII. For example, double quotation marks (") are encoded as %22.

        • Extended UTF-8 characters are encoded in the %XY%ZA… format.

        • Encode the space as %20 rather than the plus sign (+).

          This encoding method is similar to but different from the application/x-www-form-urlencoded MIME encoding algorithm (such as the java.net.URLEncoder class provided by the Java standard library). You can use this encoding method directly by replacing the plus sign (+) in the encoded string with %20, the asterisk (*) with %2A, and %7E with the tilde (~) to conform to the encoding rules described above. You can use the following percentEncode method to implement this algorithm.

          private static final String ENCODING = "UTF-8";
          private static String percentEncode(String value) throws UnsupportedEncodingException 
          {
          return value ! = null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
          }
        • Connect the encoded parameter names and their values with equal signs (=) separately.
        • Sort the parameter name and value pairs connected by the equal signs in the order specified in Sort parameters and connect the pairs with ampersands (&) to produce the canonicalized query string.
    2. Use the canonicalized query string to construct the string for signature calculation based on the following rules:
      StringToSign=
            HTTPMethod + "&" +
            percentEncode("/") + "&" +
             percentEncode(CanonicalizedQueryString)

      In the preceding rules,

      • HTTPMethod indicates that an HTTP request such as GET is submitted.
      • percentEncode(“/”) is the value (namely %2F) as the result of encoding the slash sign (/) according to the URL encoding rule described in step 1.1.
      • percentEncode(CanonicalizedQueryString) is the string from the canonicalized query string encoded according to the URL encoding rules described in Encode parameters.
  2. Signature method
    1. Calculate the HMAC value of the StringToSign based on RFC 2104.
      Note The key used for signature calculation is your AccessKey Secret followed by an ampersand (&) (ASCII code 38). The algorithm used to calculate your signature is HMAC-SHA1.
    2. Encode the HMAC value into a string based on the Base64 encoding rules. This encoded string is the signature value.
    3. Add the obtained signature value to the request parameters as the Signature parameter to sign the request.
      Note When the obtained signature value is submitted as the last parameter value, you need to encode the URL in the same way as other parameters by following the RFC3986 rule.

Examples

Example: Take the DescribeFabricOrganization operation as an example. The AccessKey ID is testid, and the AccessKey Secret is testsecret. Before the request is signed, its URL is as follows:

http://baas.aliyuncs.com/?Action=DescribeFabricOrganization&Timestamp=2018-12-23T12:46:24Z&Format=XML&AccessKeyId=testid&SignatureMethod=HMAC-SHA1&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&Version=2018-12-21&SignatureVersion=1.0

The signature string calculated by using testsecret& is as follows:

OLeaidS1JvxuMvnyHOwuJ+uX5qY=

Add the Signature parameter to the request and set the value to the calculated signature string. The URL of the signed request is as follows:

http://baas.aliyuncs.com/?Action=DescribeFabricOrganization&Timestamp=2018-12-23T12:46:24Z&Format=XML&AccessKeyId=testid&SignatureMethod=HMAC-SHA1&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&Version=2018-12-21&SignatureVersion=1.0&Signature=VyBL52idtt+oImX0NZC+2ngk15Q=