Message Queue for Apache RocketMQ (RocketMQ) verifies each HTTP request for access. Each HTTP request that is submitted to RocketMQ contains an Authorization header, and the Authorization header contains a signature. This topic describes how to generate a signature.


Alibaba Cloud issues an AccessKey pair that consists of an AccessKey ID and an AccessKey secret to a visitor. The visitor can apply for and manage them in the Alibaba Cloud console.

  • The AccessKey ID is used to verify the identity of the user
  • The AccessKey secret is used to encrypt and verify the signature string on the server. You must keep your AccessKey secret strictly confidential.

The HTTP service provided by RocketMQ implements symmetric encryption with an AccessKey pair to verify the identity of the request sender. If the calculated verification code is the same as the one provided, the request is considered to be valid. Otherwise, the HTTP service rejects the request and returns HTTP 403.

You must add an Authorization header to every HTTP request and include the signature in the header, which indicates that the message is authorized.


The format of an Authorization header is as follows:

MQ <AccessKeyId>:<Signature>

A signature is generated as follows:

Signature = base64(hmac-sha1(HTTP_METHOD + "\n"
                + "\n"+ CONTENT-TYPE + "\n"
                + DATE + "\n"
                + "x-mq-version:" + MQVersion + "\n"
                + CanonicalizedResource))       
  • HTTP_METHOD: indicates an uppercase HTTP method such as PUT, GET, POST, or DELETE.
  • CONTENT-TYPE: indicates the type of request content, which is text/xml; charset=utf-8.
  • DATE: indicates the operation time. It cannot be empty and must be in GMT format, for example, Thu, 07 Mar 2012 18:49:58 GMT.
  • MQVersion: indicates the version of the RocketMQ API. The current version is 2015-06-06.
  • CanonicalizedResource: indicates the Uniform Resource Identifier (URI) of the resource requested by an HTTP request. For example, the URI of a consumption request is /topics/abc/messages? consumer=GID_abc.
  • A signature string must be in UTF-8 format.
  • The signature method is the HMAC-SHA1 method that is defined by RFC 2104. Here, the key is the AccessKey secret.