Authorized third-party download

Last Updated: Dec 07, 2017

Use a URL signature, or provide temporary access credentials, to grant third party authorization to download objects in a private bucket. These methods are recommended as they prevent directly giving the AccessKey to users requesting download permissions, which can weaken account security.

URL signature

A developer can add a signature into the URL and forward this URL to a third party to authorize access. The third-party user can then access this URL using an HTTP GET request to download the object.

Implementation method

Example URL that includes a signature:

  1. http://<bucket>.<region><object>?OSSAccessKeyId=<user access_key_id>&Expires=<unix time>&Signature=<signature_string>

The signature in the URL must include the following three parameters:

  • OSSAccessKeyId, which is the developer’s AccessKeyId.
  • Expires, which is the developer’s expected URL expiration time.
  • Signature, which is the developer’s signature string. For more information, see API Documentation - signature section.

NOTE: This link must undergo URL encoding.


NOTE: If the bucket permission is set to private read/write permission, the access URL provided on the console contains a signature.

Temporary access credentials

Security Token Service (STS) can be used to provide temporary credentials to third-party users. By adding a signature in the request header, users can then access the object. This authorization method is applicable to mobile scenario downloads. For more information on the implementation of temporary access credentials, see STS Java SDK.

Implementation method

  1. Third-party users send a request to the application server to obtain an AccessKeyID, AccessKeySecret, and STS Token issued by STS.
  2. Upon receipt, the AccessKeyID, AccessKeySecret, and STS Token are used as a signature to request the developer’s object resource.


Best practices

Additional links

Thank you! We've received your feedback.