Signature method - API Reference| Alibaba Cloud Documentation Center

Overview

To sign a RESTful API request, you must add the Authorization field to the request header in the following format:

Authorization:acs:AccessKeyId:Singature

where:

acs: the abbreviation for Alibaba Cloud Service. This is a fixed field and cannot be modified.
AccessKeyId: the AccessKey ID used to call the API.
Signature: the signature generated after the request has been symmetrically encrypted by using the AccessKey secret.

Signature calculation

The signature algorithm complies with the HMAC-SHA1 specifications in RFC 2104. It uses an AccessKey secret to calculate the Hash-based Message Authentication Code (HMAC) of an encoded and formatted query string and use the HMAC value as the signature. The request signature includes operation-specific parameters. Therefore, the signature of each request varies depending on the request parameters.

Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign)) )

To calculate a signature, perform the following steps:

Compose a string-to-sign (StringToSign).

The StringToSign is a string assembled by using related elements in an API request. It is used to calculate the signature and contains the following elements:

HTTP header
Alibaba Cloud protocol headers (CanonicalizedHeaders)
Canonicalized resource (CanonicalizedResource)
Body

The string-to-sign must be created in the following format:

StringToSign = 
       //HTTP header
        HTTP-Verb + "\n" +
        Accept + "\n" +
        Content-MD5 + "\n" +//Place the request body encrypted by using the MD5 algorithm in this field.
        Content-Type + "\n" +
        Date + "\n" +
       //Alibaba Cloud protocol headers (CanonicalizedHeaders)
        CanonicalizedHeaders +
       //Canonicalized resource (CanonicalizedResource)
        CanonicalizedResource

Example of an original request:

POST /stacks? name=test_alert&status=COMPLETE HTTP/1.1
Host: ***.aliyuncs.com
Accept: application/json
Content-MD5: ChDfdfwC+Tn874znq7Dw7Q==
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Date: Thu, 22 Feb 2018 07:46:12 GMT 
x-acs-signature-nonce: 550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method: HMAC-SHA1
x-acs-signature-version: 1.0
x-acs-version: 2016-01-02

Example of a canonicalized request:

POST
application/json
ChDfdfwC+Tn874znq7Dw7Q==
application/x-www-form-urlencoded;charset=utf-8
Thu, 22 Feb 2018 07:46:12 GMT
x-acs-signature-nonce: 550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method:HMAC-SHA1
x-acs-signature-version:1.0
x-acs-version:2016-01-02
/stacks? name=test_alert&status=COMPLETE

Add the signature string.
Add the calculated signature in the following format to the request header:

Authorization: acs AccessKeyId:Signature

HTTP header

The HTTP header in the StringToSign must contain the values of the following parameters. Parameters must be sorted in alphabetical order. If a parameter has no value, replace it with \n.

Accept: the response type required by the client. Valid values: application/json and application/xml.
Content-MD5: the 128-bit MD5 hash value of the request body represented as a Base64 string.
Content-Type: the type of the HTTP request body defined in RFC 2616.
Date: the GMT time specified in HTTP 1.1. Example: Wed, 05 Sep. 2012 23:00:00 GMT.

Note The HTTP header does not need to contain the AccessKey.

Example of an original header:

Accept: application/json
Content-MD5: ChDfdfwC+Tn874znq7Dw7Q==
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Date: Thu, 22 Feb 2018 07:46:12 GMT

Example of a canonicalized header:

application/json
ChDfdfwC+Tn874znq7Dw7Q==
application/x-www-form-urlencoded;charset=utf-8
Thu, 22 Feb 2018 07:46:12 GMT

Alibaba Cloud protocol headers (CanonicalizedHeaders)

CanonicalizedHeaders are non-standard HTTP headers of Alibaba Cloud. They are parameters prefixed with x-acs- in a request. A request must contain the following parameters:

x-acs-signature-nonce: a unique number that is randomly generated to prevent network replay attacks. You must use different numbers for different requests.
x-acs-signature-version: the version of the signature encryption algorithm. Set the value to 1.0.
x-acs-version: the version number of the API. For more information, see the API documentation of each product.

To construct Alibaba Cloud canonicalized headers, perform the following steps:

Convert the names of all HTTP request headers prefixed with x-acs- to lowercase letters. For example, convert X-acs-OSS-Meta-Name: TaoBao to x-acs-oss-meta-name: TaoBao.
Arrange all HTTP request headers that are obtained from the preceding step in alphabetical order.
Delete all spaces on either side of a delimiter between the request header and its content. For example, convert x-acs-oss-meta-name: TaoBao,Alipay to x-acs-oss-meta-name:TaoBao,Alipay.
Separate all headers and content with delimiters (\n) to form the final CanonicalizedHeaders.

Example of an original header:

x-acs-signature-nonce: 550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method: HMAC-SHA1
x-acs-signature-version: 1.0
x-acs-version: 2016-01-02GMT

Example of a canonicalized header:

x-acs-signature-nonce:550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method:HMAC-SHA1
x-acs-signature-version:1.0
x-acs-version:2016-01-02

Canonicalized resource (CanonicalizedResource)

CanonicalizedResource represents the specification description of the resource to be accessed. Sort sub-resources along with query in alphabetical order and separate them with ampersands (&) to generate a sub-resource string. The sub-resource string consists of all parameters following the question mark (?).

Example of an original request:

/stacks? status=COMPLETE&name=test_alert

Example of a canonicalized request:

/stacks? name=test_alert&status=COMPLETE

Body

Encrypt the request body by using the MD5 algorithm, encode the request body in Base64, and add the Base64-encoded string to the Content-MD5 parameter.