Add a signature to URL

Last Updated: Dec 22, 2017

In addition to using an authorization header, you can also add signature information to a URL so that you can forward the URL to a third party for authorized access.


URL signature example:


The URL signature must include at least the following three parameters: Signature, Expires, and AccessKeyId.

  • The Expires parameter indicates the time-out time of the URL. The value of this parameter is UNIX time (which is the number of seconds that have elapsed since 00:00:00 UTC, January 1, 1970. For more information, see Wikipedia). If the time when the OSS receives the URL request is later than the value of the Expires parameter included in the signature, an error code indicating that the request has timed out is returned. For example, if the current time is 1141889060, to create a URL that will expire in 60 seconds, you can set the value of Expires to 1141889120.
  • AccessKeyId refers to the AccessKeyId in the key.
  • Signature indicates the signature information. For all requests and header parameters that OSS supports, the algorithm for adding a signature to a URL is basically the same as that for adding a signature to a header.
    1. Signature = urlencode(base64(hmac-sha1(AccessKeySecret,
    2. VERB + "\n"
    3. + CONTENT-MD5 + "\n"
    4. + CONTENT-TYPE + "\n"
    5. + EXPIRES + "\n"
    6. + CanonicalizedOSSHeaders
    7. + CanonicalizedResource)))

Specifically, the differences mainly lie in the following:

  1. When a signature is added to a URL, the Expires parameter replaces the Date parameter.
  2. Signatures cannot be included in the URL and the Header at the same time.
  3. If more than one incoming Signature, Expires, or AccessKeyId value is available, the first of each incoming value is used.
  4. Whether the request time is later than the Expires time is verified first before the signature is verified.
  5. When you put the signature string into the URL, remember to perform the UrlEncode for the URL.
  • When you add a signature to a temporary user URL, the ‘security-token’ must be carried. The format is as follows:

Sample code

Python sample code used to add a signature to a URL:

  1. import base64
  2. import hmac
  3. import sha
  4. import urllib
  5. h ="OtxrzxIsfpFjA7SwPzILwy8Bw21TLhquhboDYROV",
  6. "GET\n\n\n1141889120\n/oss-example/oss-api.pdf",
  7. sha)
  8. urllib.quote (base64.encodestring(h.digest()).strip())


  • The preceding code is the Python sample code
  • OSS SDK provides the method for adding a signature into the URL. For usage, see the ‘Authorize Access’ section in the SDK file.
  • For the implementation of adding a signature to the OSS SDK URL, see the following table.
SDK URL signature method Implementation file
Java SDK OSSClient.generatePresignedUrl
Python SDK Bucket.sign_url
.Net SDK OssClient.GeneratePresignedUri OssClient.cs
PHP SDK OssClient.signUrl OssClient.php
JavaScript SDK signatureUrl object.js
C SDK oss_gen_signed_url oss_object.c

Detail analysis

  1. If you adopt the approach of adding a signature to a URL, the authorized data is exposed on the Internet before the authorization period expires. Please assess the usage risks in advance.
  2. The PUT and GET requests both support adding a signature in a URL.
  3. When a signature is added to a URL, the sequence of Signature, Expires, and AccessKeyId can be swapped. If one or more Signature, Expires, or AccessKeyId parameter are missing, the error 403 Forbidden is returned. Error code: AccessDenied.
  4. If the current access time is later than the Expires time set in the request, the error 403 Forbidden is returned. Error code: AccessDenied.
  5. If the format of the Expires time is incorrect, the error 403 Forbidden is returned. Error code: AccessDenied.
  6. If the URL includes one or more Signature, Expires, or AccessKeyId parameter and the header also includes signature information, the error 400 Bad Request is returned. Error code: InvalidArgument.
  7. When the signature string is generated, the Date parameter is replaced by the Expires parameter, but the headers such as content-type and content-md5 defined in the foregoing section are still included. (Though the Date request header still exists in the request, it does not need to be added to the signature string.)
Thank you! We've received your feedback.