Sign API requests

For each HTTP or HTTPS request, Alibaba Cloud uses the request signature to verify the identity of the API caller. You must perform the following steps to sign a request:

• Step 1: Construct a canonicalized header
• Step 2: Construct a canonicalized resource
• Step 3: Construct a string-to-sign
• Step 4: Calculate the signature string
• Step 5: Add the signature to the request

Canonicalized headers are non-standard HTTP headers. Canonicalized headers refer to the parameters that are prefixed with x-acs- in the request. You can perform the following steps to construct canonicalized headers:

• Convert all HTTP header field names prefixed with x-acs- to lowercase letters. For example, convert X-acs-Meta-Name: TaoBao to x-acs-meta-name: TaoBao. Header field names are not case-sensitive. We recommend that you use lowercase letters.
• If a header field value is too long, replace specific delimiters with spaces. The delimiters include \t, \n, \r, and \f.
• Sort all HTTP headers that you obtained in the preceding step in ascending lexicographic order.
• Delete all spaces on both sides of the delimiter that separates the field name and field value of each header. For example, convert x-acs-oss-meta-name : TaoBao,Alipay to x-acs-oss-meta-name:TaoBao,Alipay.
• Append the \n delimiter to the end of each header, and then concatenate all the headers.

Canonicalized resources refer to the canonical descriptions of the resources that you want to access. You can perform the following steps to construct canonicalized resources:

1. Sort the parameters in the request query string by name in lexicographic order, and concatenate the parameters with an ampersand (&) delimiter to generate the sorted query string.

   Skip this step if the request does not contain a query string.

2. Concatenate the requested resource path and the sorted query string with a question mark (?). The resource path refers to the string between the host address and the query string, which includes the forward slash (/) following the host address but excludesthe question mark (?) that precedes the query string.This generates a canonicalized resource. If the request does not contain a query string, use the requested resource path as the canonicalized resource.

Original request URL:

http://demo-product.aliyuncs.com/instances?status=ONLINE&group=test_group

Canonicalized resource:

/instances?group=test_group&status=ONLINE

Construct a string-to-sign based on the following pseudocode:

StringToSign = 
    HTTP-Verb + "\n" +
    Accept + "\n" +
    Content-MD5 + "\n" +
    Content-Type + "\n" +
    Date + "\n" +
    CanonicalizedHeaders +
    CanonicalizedResource

Parameter	Description
HTTP-Verb	The HTTP method in uppercase letters, such as POST and GET.
Accept	The value of the Accept header field. Set the value to an empty string if this header does not exist.
Content-MD5	The value of the Content-MD5 header field. Set the value to an empty string if this header does not exist.
Content-Type	The value of the Content-Type header field. Set the value to an empty string if this header does not exist.
Date	The value of the Date header field.
CanonicalizedHeaders	The canonicalized header that you obtained in Step 1: Construct a canonicalized header.
CanonicalizedResource	The canonicalized resource that you obtained in Step 2: Construct a canonicalized resource.

Calculate the hash-based message authentication code (HMAC) value of the string-to-sign by using the HMAC-SHA1 algorithm and then encode the HMAC value into a signature string based on Base64 encoding rules. For more information about HMAC, see RFC 2104.

Signature = Base64( HMAC-SHA1( SigningKey, StringToSign ) )

After you obtain the signature string, construct the Authorization header value based on the following formula:

Authorization = "acs " + AccessKeyId + ":" + Signature