All Products
Document Center

Signing signatures

Last Updated: Apr 30, 2019

Image Search verifies both HTTP and HTTPS requests. Therefore, all requests must carry the signature information (Authorization) in their headers. By using an AccessKey ID and an AccessKey Secret, Image Search performs symmetric encryption to authenticate the request sender. You can apply for an AccessKey ID and an AccessKey Secret and manage them on the Alibaba Cloud website. The AccessKey ID uniquely identifies a user. The AccessKey Secret is used to encrypt your signature string on the client and decrypt it on the server. For security, make sure that your AccessKey Secret is inaccessible to others.

Sign a request

A signature includes the common request header, the canonicalized resource, and the body. The common request header contains HTTP header parameters and Alibaba Cloud protocol header parameters. The procedure for signing a request is described as follows:

  1. Calculate the MD5 value of the body, use Base64 to encode the string, and then add the encoded string to the header.
  2. Use the request header parameters to canonicalize the header string.

    1. headerStringToSign =
    2. HTTP-Verb + "\n" + //HTTP-Verb represents a request method that is either POST or GET.
    3. Accept + \n + //The value of Accept is application/json.
    4. Content-MD5 + "\n" + //Content-MD5 represents the MD5 value calculated in step 1.
    5. Content-Type + "\n" + //The value of Content-Type is application/octet-stream;chrset=utf-8.
    6. Date + "\n" + //Date represents the GMT.
    7. "x-acs-signature-method:HMAC-SHA1\n" +
    8. "x-acs-signature-nonce:" + ${x-acs-signature-nonce} + "\n" +
    9. "x-acs-version:2018-01-20" + "\n";
  3. CanonicalizedResource is the canonical description of the resource you want to access. Sort sub-resources along with the query parameters (all the parameters after the question mark) in lexicographically ascending order and separate them by using ampersands (&) to generate a sub-resource string. The following is an example.

    1. resourceStringToSign =
    2. URI + "? instanceName=" + ${instanceName};
  4. For signature calculation, construct a string based on the canonicalized query string by following this format:

    1. stringToSign = headerStringToSign + resourceStringToSign;
  5. According to RFC 2104, calculate the HMAC value of StringToSign, encode the HMAC value by using Base64, and then add your AccessKey ID. The Authorization value is obtained.

    1. Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign) ) )
    2. Authorization = "acs " + AccessKeyId + ":" + Signature

Note: The key used in signature calculation is your AccessKey Secret. The hash algorithm used in this process is SHA1.


In this example, the request is as follows:

  1. curl -X POST
  2. -H "date:Sat 27 Jan 2018 17:53:28 GMT"
  3. -H "content-md5:MACiECZtnLiNkNS1v5ZCAA=1"
  4. -H "content-type:application/x-www-form-urlencoded;charset=utf-8"
  5. -H "x-acs-signature-method:HMAC-SHA1"
  6. -H "x-acs-signature-nonce:123212345678231234"
  7. -H "x-acs-version:2019-03-25"
  8. -H "accept:application/json"
  9. -d "..."
  10. ""

The calculated value of stringToSign is as follows:

  1. POST
  2. application/json
  3. MACiECZtnLiNkNS1v5ZCAA==
  4. application/x-www-form-urlencoded;charset=utf-8
  5. Sat 27 Jan 2018 19:54:26 GMT
  6. x-acs-signature-method:HMAC-SHA1
  7. x-acs-signature-nonce:123212345678231235
  8. x-acs-version:2019-03-25
  9. /v2/image/search

In this example, the AccessKey ID is testAccessKey and the AccessKey Secret is testKeySecrect. The calculated signature value is as follows:

  1. acs testAccessKey:31nTIpResD/0C8gb+ChUeuvsxlw=

The signature value is assigned to the Authorization parameter in the request header.