To publish a third-party software as a service (SaaS) product in Alibaba Cloud Marketplace, an independent software vendor (ISV) must define relevant SPI operations. By providing these operations, the ISV can obtain purchase information and activate the SaaS product for customers. Security verification is required for each SPI call. This topic describes the security scheme for SPI operations.

Target products

This security scheme is applicable to all SaaS products that are produced in SPI mode.

Security scheme

Security verification is required for each SPI call. A token is provided in each call. An ISV must verify the token after receiving it.

To generate a token, obtain all parameters except the token parameter from the HTTP GET request, arrange the parameters in alphabetical order to obtain a string, suffix the string with the security key of the ISV, and then encrypt the final string in MD5.

Note Alibaba Cloud Marketplace may add specific parameters when calling an operation. Therefore, you must obtain all parameters except the token parameter from the HTTP GET request and generate a token based on the preceding rules. Then, check whether the generated token is the same as the value of the token parameter provided by Alibaba Cloud Marketplace.

Example

Request: http://www.isvwebsite.com?p1=1&p2=2&p3=3&token=xxxx

Token: "p1=1&p2=2&p3=3&key=isvkey".toMD5()