You must sign all API requests to ensure security. Alibaba Cloud uses the request signature to verify the identity of the API caller. When you call an API operation by using HTTP or HTTPS, the request must include the signature information.


You must add the signature to the Anti-DDoS Pro or Anti-DDoS Premium API request in the following format:

  • SignatureMethod: the encryption method of the signature string. Set the value to HMAC-SHA1.
  • SignatureVersion: the version of the signature encryption algorithm. Set the value to 1.0.
  • SignatureNonce: a unique, random number used to prevent replay attacks. You must use different random numbers for different requests. We recommend that you use universally unique identifiers (UUIDs).
  • Signature: the signature generated after the request has been symmetrically encrypted by using the AccessKey secret.
The signature algorithm complies with RFC 2104 HMAC-SHA1 specifications. The AccessKey secret is used to calculate the hash-based message authentication code (HMAC) value of the encoded and sorted query string, and the HMAC value is used as the signature string. Request signatures include operation-specific parameters. Therefore, the signature of a request varies depending on the request parameters. To calculate the signature string, you can follow the steps in this topic.
Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign)) )

Step 1: Compose and encode a string-to-sign

  1. Create a canonicalized query string by arranging the request parameters.
    1. Arrange the request parameters (including all common and operation-specific parameters except Signature) in alphabetical order.
      Note If you use the GET method to submit the request, these parameters are the part located after the question mark (?) and connected by the ampersands (&) in the request uniform resource identifier (URI).
    2. Encode the canonicalized query string in UTF-8. The following table describes the encoding rules.
      Character Encoding rule
      Uppercase letters, lowercase letters, digits, and some special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) These characters do not need to be encoded.
      Other characters Other characters must be percent encoded in %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      Extended UTF-8 characters These characters are encoded in %XY%ZA... format.
      Spaces Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
      This encoding rule is different from the application/x-www-form-urlencoded MIME encoding algorithm, such as the class provided by the Java standard library. You can encode spaces according to the encoding rule for the standard library. Then, replace the plus sign (+) with %20, the asterisk (*) with %2A, and %7E with the tilde (~) in the encoded string to obtain an encoded string that complies with the preceding encoding rules. You can use the following percentEncode method to implement this algorithm.
      private static final String ENCODING = "UTF-8";
      private static String percentEncode(String value) throws UnsupportedEncodingException 
      return value ! = null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
    3. Connect the encoded parameter names and their values by using equal signs (=).
    4. Sort the connected parameter name and value pairs in the order specified in step 1.i and connect the pairs by using ampersands (&) to obtain the canonicalized query string.
  2. Create a string-to-sign from the encoded canonicalized query string.
          HTTPMethod + "&" +
          percentEncode("/") + "&" +


    • HTTPMethod indicates the HTTP method used to send the request, such as GET.
    • percentEncode("/") is the encoded value ("%2F") of a forward slash (/) based on the URL encoding rules described in step 1.i.
    • percentEncode(CanonicalizedQueryString) is the string constructed by using the canonicalized query string based on the URL encoding rules described in step 1.ii.

Step 2: Calculate the signature string

  1. Calculate the RFC 2104-compliant HMAC value of the string-to-sign.
    Note Use the SHA1 algorithm to calculate the HMAC value of the string-to-sign. Append an ampersand (&) (ASCII code: 38) to your AccessKey secret to obtain the key for the HMAC calculation.
  2. Encode the HMAC value in Base64 to obtain the signature string.
  3. Add the signature string to the request as the Signature parameter.
    Note After the signature string is submitted as the last request parameter value, you must encode the URL according to RFC 3986 in the same way you encode the URL after other parameters are added.


Use the DescribeInstanceIds operation as an example. Assume that AccessKey Id is testid and AccessKey Secret is testsecret. The request URL to be signed is as follows:

The signature string calculated by using testsecret& is as follows:


Add the Signature parameter to the request and set the value to the calculated signature string. The URL of the signed request is as follows: