ApsaraVideo Media Processing authenticates each access request. Therefore, a request must contain signature information regardless of whether it is submitted over HTTP or HTTPS. When you send a request, ApsaraVideo Media Processing authenticates your identity by using symmetric encryption based on your AccessKey ID and AccessKey secret. The AccessKey ID and AccessKey secret are issued to you by Alibaba Cloud. You can apply for and manage them on the Alibaba Cloud website. The AccessKey ID is used to verify your identity, whereas the AccessKey secret is used to encrypt and verify the signature string on the server. The AccessKey secret must be kept confidential and only be known to Alibaba Cloud and you.

To sign the request, follow these steps:

  1. Create a canonicalized query string based on the request parameters.
    1. Create a canonicalized query string by sorting the request parameters (including all common and operation-specific parameters except Signature) in alphabetical order.
      Note If the request is a GET request, use the parameters in the request URI, namely, the parameters separated with ampersands (&) following the question mark (?) in the request URI.
    2. Encode the names and values of the relevant request parameters in UTF-8. The encoding rules are as follows:
      • Uppercase letters, lowercase letters, digits, and some special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
      • Other characters must be encoded in %XY format, where XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      • Extended UTF-8 characters are encoded in %XY%ZA... format.
      • Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
        Note Most libraries that support URL encoding, such as java.net.URLEncoder, comply with the Multipurpose Internet Mail Extensions (MIME) encoding rules of application/x-www-form-urlencoded. If this encoding method is used, replace the plus signs (+) in the encoded strings with %20, the asterisks (*) with %2A, and %7E with tildes (~) to conform to the encoding rules.
    3. Use an equal sign (=) to connect the name and value of each URL-encoded request parameter as a key-value pair.
    4. Sort the key-value pairs connected by equal signs (=) in alphabetical order and separate them with ampersand signs (&).
  2. Create a string-to-sign from the encoded canonicalized query string based on the following rules:
    
    StringToSign=
    HTTPMethod + "&" +
    percentEncode("/") + "&" +
    percentEncode(CanonicalizedQueryString)

    HTTPMethod specifies the HTTP method used to submit a request, such as GET.

    percentEncode("/") specifies the encoded value for the forward slash (/) based on the URL encoding rules described in the previous step, which is %2F.

    percentEncode(CanonicalizedQueryString) specifies the encoded string of the canonicalized query string constructed in the previous step 1, produced by following the URL encoding rules described in the previous step.

  3. Calculate the HMAC value of the string-to-sign as defined in RFC 2104.
    Note Use the SHA1 algorithm to calculate the HMAC value of the string-to-sign. The AccessKey secret appended by an ampersand (&) (ASCII:38) is used as the key for HMAC calculation.
  4. Encode the HMAC value in Base64 to obtain the signature string.
  5. Add the signature string to the request as the value of the Signature parameter.
    Note The signature string must be encoded like other parameters in the URL based on RFC 3986 rules before it can be submitted to the media transcoding server as the final request parameter value.
For example, the request URL of the SearchTemplate operation before signature is as follows:
http://mts.cn-hangzhou.aliyuncs.com/?Timestamp=2015-05-14T09%3A03%3A45Z&Format=XML&AccessKeyId=testId&Action=SearchTemplate&PageSize=2&SignatureMethod=HMAC-SHA1&SignatureNonce=4902260a-516a-4b6a-a455-45b653cf6150&SignatureVersion=1.0&Version=2014-06-18
The canonicalized query string is as follows:
AccessKeyId=testId&Action=SearchTemplate&Format=XML&PageSize=2&SignatureMethod=HMAC-SHA1&SignatureNonce=4902260a-516a-4b6a-a455-45b653cf6150&SignatureVersion=1.0&Timestamp=2015-05-14T09%3A03%3A45Z&Version=2014-06-18
The string-to-sign is as follows:
GET&%2F&AccessKeyId%3DtestId%26Action%3DSearchTemplate%26Format%3DXML%26PageSize%3D2%26SignatureMethod%3DHMAC-SHA1%26SignatureNonce%3D4902260a-516a-4b6a-a455-45b653cf6150%26SignatureVersion%3D1.0%26Timestamp%3D2015-05-14T09%253A03%253A45Z%26Version%3D2014-06-18
If the AccessKey ID is testId and the AccessKey secret is testKeySecret, the key used for HMAC calculation is testKeySecret&, and the calculated signature string is as follows:
kmDv4mWo806GWPjQMy2z4VhBBDQ%3D
The signed request URL with the Signature parameter added is as follows:
http://mts.cn-hangzhou.aliyuncs.com/?Signature=kmDv4mWo806GWPjQMy2z4VhBBDQ%3D&SignatureVersion=1.0&Action=SearchTemplate&Format=XML&SignatureNonce=4902260a-516a-4b6a-a455-45b653cf6150&PageSize=2&Version=2014-06-18&AccessKeyId=testId&SignatureMethod=HMAC-SHA1&Timestamp=2015-05-14T09%3A03%3A45Z

For more information about the code, see Call an API operation.