Signature mechanism

Last Updated: Apr 19, 2017

The ROA-style API signature consists of two parts: public request headers (HTTP header parameters and Alibaba Cloud protocol header parameters) and CanonicalizedResource. The message body is not included in the signature.

Public request headers

Name Description
Authorization Authentication information used to verify request validity, in the format of acs AccessKeyId:signature.
Content-Length HTTP request content length defined in RFC 2616.
Content-Type HTTP request content type defined in RFC 2616.
Content-MD5 Base64-encoded 128-bit MD5 hash value of the HTTP message body. It is recommended that Content-MD5 be added to all requests to prevent tampering.
Date Request time in GMT format, for example, Wed, 26 Aug. 2015 17:01:00 GMT.
Accept Return-value type required by the client, which can be application/json or application/xml.
Host Address of the accessed host, for example,
x-acs-signature-nonce Unique random number, which is used to prevent network replay attacks. You must use different random numbers for different requests.
x-acs-signature-method Signature method, which uses HMAC-SHA1 only at present.
x-acs-signature-version Signature version, which is 1.0 currently.

Signature calculation method

ROA-style API requests are signed using the standard Authorization header. The request format is as follows:

  1. Authorization: acs AccessKeyId:Signature

Signature calculation for public request headers

Http Header

Signature calculation must include the values of the following parameters: Accept, Content-MD5, Content-Type, and Date (without keys). (Content-Length is not included in the signature.) Parameters must be sorted in order. If a parameter has no value, it is filled with “\n”.

Alibaba Cloud protocol headers (CanonicalizedHeaders)

CanonicalizedHeaders are the non-standard HTTP headers of Alibaba Cloud. They are the parameters prefixed with “x-acs-“ in a request.

CanonicalizedHeaders are constructed as follows:

  1. Convert the names of all HTTP request headers prefixed with “x-acs-“ into lowercase letters. For example, ‘X-acs-OSS-Meta-Name: TaoBao’ is converted into ‘x-acs-oss-meta-name: TaoBao’. The names of request headers are case-insensitive according to Alibaba Cloud’s specification. However, it is recommended that such names use only lowercase letters here.

  2. If the value section of a public request header is too long, replace the “\t”, “\n”, “\r”, and “\f” separators with spaces.

  3. Sort all HTTP request headers that are obtained from the preceding step and compliant with Alibaba Cloud’s specification in the lexicographically ascending order.

  4. Delete any space at either side of a separator between each request header and content. For example, convert ‘x-acs-oss-meta-name: TaoBao,Alipay’ into ‘x-acs-oss-meta-name:TaoBao,Alipay’.

  5. Separate all headers and content with the ‘\n’ separator to form the final CanonicalizedHeaders.

How to include CanonicalizedResource in the signature – qureyString

CanonicalizedResource is the standard description of the resource to be accessed. Sort sub-resources along with query in the lexicographically ascending order and separate them using the ‘&’ separator to generate a sub-resource string (which consists of all parameters after the question mark “?”). For example:


The sorting result is:

  1. name=test_alert+"\n"+
  2. status=COMPLETE

Signature encapsulation

  1. Authorization = acs AccessKeyId + ":" + Signature
  2. Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
  3. StringToSign) ) )
  4. StringToSign =

HTTP headers

  1. HTTP-Verb + "\n" +
  2. Accept + "\n" +
  3. Content-MD5 + "\n" +
  4. Content-Type + "\n" +
  5. Date + "\n" +

Alibaba Cloud protocol headers (CanonicalizedHeaders):

  1. CanonicalizedHeaders +

How to include CanonicalizedResource in the signature – qureyString

  1. CanonicalizedResource
Thank you! We've received your feedback.