Alibaba Cloud performs identity authentication for every access request. Therefore, you must contain the signature information in the request no matter whether you submit a request through the HTTP or HTTPS protocol. The requester identity is verified using symmetric encryption of the Access Key IDand Access Key Secret. The Access Key ID and Access Key Secret are officially issued to visitors by Alibaba Cloud (you can apply for and manage them on the Alibaba Cloud official website). In specific,the Access Key ID indicates the identity of the visitor.The Access Key Secretis the secret key used to encrypt the signature string and to verify the signature string on the server. It must be kept strictly confidential and only be known to Alibaba Cloud and the user.
Note Alibaba Cloud offers SDKs and third-party SDKs in different languages, which free you of the trouble of coding the signature algorithm. For more information about Alibaba SDK, see Alibaba Cloud SDK.

Signature operation

During access, use the following methods to sign a request.

  1. Use request parameters to construct the canonicalized query string.
    1. Sort parameters.
      All the request parameters (including thepublic request parametersand user-defined parameters with given request interfaces, but excluding the Signatureparameter mentioned in thepublic request parameters) are sorted alphabetically by the parameter name.
      Note Note:When a request is submitted using the GET method, these parameters are the parameter section of the request URI (that is, the section in the URI following? and connected by &).
    2. Encode parameters.
      The name and value of each request parameter are encoded. The names and values must adoptUTF-8 charactersfor URL encoding. The URL encoding rules are as follows:
      • The characters A-Z, a-z, 0-9, and -, _, ., ~ are not encoded.

      • Other characters are encoded into the%XYformat,withXYrepresenting the characters’ ASCII code in hexadecimal notation. For example, the English double quotation marks (‘’) are encoded as%22.

      • Extended UTF-8 characters are encoded into the%XY%ZA… format.

      • The English space ( ) is encoded as%20, rather than the plus sign (+).

        This encoding method and the commonly-usedapplication/x-www-form-urlencoded MIME type (such Java library) are similar, but have differences. If this encoding method is used, use the method of standard library to encode, and then replace the plus signs (+) in the encoded strings with%20, the asterisks (*) with%2A, and change%7Eback to the tilde (~) to get the encoded string described in the previous rules. This algorithm can be achieved bu using the following method:

        private static final String ENCODING = "UTF-8";
        private static String percentEncode(String value) throws UnsupportedEncodingException {
        return value ! = null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
    3. Connect the encoded parameter names and values with the English equals sign (=).
    4. Then, sort the parameter name and value pairs connected by equal signs in alphabetical order and connect them with the&symbol to produce the Canonicalized Query String.
  2. Construct the string for signature calculation using the canonicalized query string in the previous step according to the following rules.
    HTTPMethod + “&” +
    percentEncode(“/”) + ”&” +
    • HTTPMethodis the HTTP method used for request submission, for example, GET.

    • percentEncode(“/”)is the encoded value (%2F) of the character/, which is obtained according to the URL encoding rules described in 1.ii.

    • percentEncode(CanonicalizedQueryString)is the Canonicalized Query String (constructed in Step 1) that is encoded according to the URL encoding rules described in 1.ii.

  3. Use the previous signature string to calculate the signature’s HMAC value based on RFC2104 definitions.
    Note Note: The key used for signature calculation is theAccess Key Secretheld by the user plus the&character (ASCII:38), and the SHA1 hashing algorithm is used.
  4. Encode the previous HMAC value into a string based on Base64 encoding rules to obtain the signature value (Signature).
  5. Add the obtained signature value to the request parameters as the Signature parameter to sign the request.
    Note Note: URL encoding is required to be performed for the obtained signature value based on the RFC3986rule, like in the case of other parameters, before the signature value is submitted to the live server as the final request parameter value.


Take DescribeLiveSnapshotConfig as an example, the request URL before signing is as follows:
The StringToSign is:
Assume the Access Key Idistestid, the Access Key Secretistestsecret, and the Key used for HMAC calculation istestsecret&, the calculated signature value is:
The signed request URL is (note the added Signature parameter):