Authorized third-party users to download objects - Developer Guide| Alibaba Cloud Documentation Center

To authorize a third-party user to download objects from a private bucket, you can provide a signed URL or a temporary access credential instead of your AccessKey pair to the user.

Signed URL

OSS allows users to use a signed URL to download data. You can add signature information to a URL and provide the URL to a third-party user for authorized access. The third-party user can access the URL by sending a GET request to download objects.

Examples
```
http://<bucket>.<region>.aliyuncs.com/<object>?OSSAccessKeyId=<user access_key_id>&Expires=<unix time>&Signature=<signature_string>
```
This link must be URL-encoded. At least the following parameters must be included to sign the request: OSSAccessKeyId, Expires, and Signature.
- OSSAccessKeyId: The AccessKey ID of your Alibaba Cloud account.
- Expires: The expected expiration time of the URL.
- Signature: The signature string. For more information, see Add a signature to a URL.
Implementation modes
- Console
- Java SDK
- Python SDK
- PHP SDK
- Go SDK
- C SDK
- C++ SDK
- .NET SDK
- Node.js
- Browser.js
- Android SDK
- iOS SDK

Temporary access credential

OSS allows you to use Alibaba Cloud Security Token Service (STS) to authorize temporary access. You can use STS to grant a third-party application or your RAM user an access credential that specifies the custom validity period and permissions. This authorization method is applicable to object download in mobile scenarios. For more information, see Access OSS with a temporary access credential provided by STS.

Implementation
A third-party user sends a request to the application server to obtain the AccessKey ID, AccessKey secret, and STS token. The user then uses the access credential to request objects of developers.
Implementation modes
- Java SDK
- Python SDK
- PHP SDK
- Go SDK
- C SDK
- C++ SDK
- .NET SDK
- Node.js
- Browser.js
- Android SDK
- iOS SDK