Image Search authenticates sender identities for requests. Therefore, each request must contain signature information, regardless of whether the request is sent over HTTP or HTTPS. Image Search implements symmetric encryption by using an AccessKey pair to verify the identity of a request sender. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.

Note The AccessKey pair is equivalent to your password, and is required when you call API operations. The AccessKey ID is used to verify identities of users, and the AccessKey secret is used to encrypt and verify signature strings. You must keep your AccessKey secret strictly confidential. For more information, see Create an AccessKey pair.

Sign a request

A signature includes a common request header, a canonicalized resource, and a body. The common request header contains HTTP header parameters and Alibaba Cloud protocol header parameters. The following procedure shows how to sign a request:
  1. Calculate the MD5 hash value of the body, use Base64 to encode the string, and then add the encoded string to the header.
  2. Use the request header parameters to canonicalize the header string.
    headerStringToSign = 
        HTTP-Verb + "\n" +         // HTTP-Verb represents a request method that is POST or GET.
        Accept + "\n" +            // The value of Accept is application/json.
        Content-MD5 + "\n" +       // Content-MD5 represents the MD5 hash value that is calculated in Step 1.
        Content-Type + "\n" +      // The value of Content-Type is application/octet-stream;chrset=utf-8.
        Date + "\n" +              // The value of Date is the Greenwich Mean Time (GMT).
        "x-acs-signature-method:HMAC-SHA1\n" + 
        "x-acs-signature-nonce:" + ${x-acs-signature-nonce} + "\n" +
        "x-acs-version:2018-01-20" + "\n";
  3. CanonicalizedResource is the canonical description of the resource that you want to access. Sort sub-resources and the query parameters in a lexicographically ascending order and separate them by using ampersands (&) to generate a sub-resource string. The sub-resource string consists of all the parameters following the question mark (?). The following example is provided:
    resourceStringToSign = 
        URI + "? instanceName=" + ${instanceName};
  4. Construct a string-to-sign in the following format based on the preceding canonicalized query string:
    stringToSign = headerStringToSign + resourceStringToSign;
  5. Follow RFC 2104 to calculate the signature.
    Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign) ) )
    Authorization = "acs " + AccessKeyId + ":" + Signature
    Note The key that is used for signature calculation is your AccessKey secret. The hash algorithm that is used in this process is SHA1.


In this example, the following request is sent:
curl -X POST 
     -H "date:Sat 27 Jan 2018 17:53:28 GMT" 
     -H "content-md5:MACiECZtnLiNkNS1v5ZCAA=1" 
     -H "content-type:application/x-www-form-urlencoded;charset=utf-8" 
     -H "x-acs-signature-method:HMAC-SHA1" 
     -H "x-acs-signature-nonce:123212345678231234" 
     -H "x-acs-version:2019-03-25"
     -H "accept:application/json" 
     -d "..." 
The following value of the stringToSign parameter is returned:
Sat 27 Jan 2018 19:54:26 GMT
In this example, the AccessKey ID is testAccessKey and the AccessKey secret is testKeySecrect. The following signature value is returned:
acs testAccessKey:31nTIpResD/0C8gb+ChUeuvsxlw=

The signature value is assigned to the Authorization parameter in the request header.