edit-icon download-icon


Last Updated: Jan 22, 2019

Image Search uses the symmetric encryption algorithm to verify all HTTP and HTTPS requests sent to it. Therefore, a request sent to Image Search must contain the authentication information (Access Key ID and Access Key Secret) in its header. You can apply for the Access Key ID and Access Key Secret and manage them on the Alibaba Cloud console. The Access Key ID uniquely identifies a user. The Access Key Secret is used to encrypt your signature on the client and decrypt it on the server. For security, make sure your Access Key Secret is not accessible to others.

Create a signature

A signature includes three parts: the common request header, canonicalized resource, and body. The common request header contains HTTP header parameters and Alibaba Cloud protocol header parameters.

  1. Calculate the MD5 value of the body, encode it using Base64, and add the encoded string to the header.
  2. Use the header parameters to canonicalize the header string.
    1. headerStringToSign =
    2. HTTP-Verb + "\n" + //HTTP-Verb represents a request method: POST or GET
    3. Accept + \n + //The value of Accept must be application/json
    4. Content-MD5 + "\n" + //Content-MD5 represents the calculated MD5 value
    5. Content-Type + "\n" + //The value of Content-Type must be application/octet-stream;chrset=utf-8
    6. Date + "\n" + //Date represents the GMT
    7. x-acs-signature-method:HMAC-SHA1\n +
    8. x-acs-signature-nonce:” + ${x-acs-signature-nonce} + "\n" +
    9. x-acs-version:2018-01-20" + "\n";
  3. CanonicalizedResource refers to a resource string that contains multiple sub-resource items sorted in lexicographically ascending order. The sub-resource items are separated by ampersands (&). Each sub-resource item contains a sub-resource and a query. In the following example, all parameters following the question mark (?) forms a sub-resource string.
    1. resourceStringToSign =
    2. URI + "?instanceName=" + ${instanceName};
  4. Add the header string and sub-resource string to stringToSign.
    1. stringToSign = headerStringToSign + resourceStringToSign;
  5. Use the HMAC algorithm defined in RFC2104 to calculate the HMAC value of StringToSign and then encode the HMAC value using Base64. The final signature added to Authorization must include your Access Key ID and the Base64 encoded string, as follows:
    1. Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign) ) )
    2. Authorization = "acs " + AccessKeyId + ":" + Signature

    Note: AccessSecret represents your Access Key Secret. The algorithm used to calculate your signature is HMAC-SHA1.


In this example, the request is as follows:

  1. curl -X POST
  2. -H "date:Sat 27 Jan 2018 17:53:28 GMT"
  3. -H "content-md5:MACiECZtnLiNkNS1v5ZCAA=1"
  4. -H "content-type:application/octet-stream;charset=utf-8"
  5. -H "x-acs-signature-method:HMAC-SHA1"
  6. -H "x-acs-signature-nonce:123212345678231234"
  7. -H "x-acs-version:2018-01-20"
  8. -H "accept:application/json"
  9. -d "..."
  10. "http://imagesearch.cn-shanghai.aliyuncs.com/item/search?instanceName=testInstance"

The calculated stringToSign is as follows:

  1. POST
  2. application/json
  3. MACiECZtnLiNkNS1v5ZCAA==
  4. application/octet-stream;charset=utf-8
  5. Sat 27 Jan 2018 19:54:26 GMT
  6. x-acs-signature-method:HMAC-SHA1
  7. x-acs-signature-nonce:123212345678231235
  8. x-acs-version:2018-01-20
  9. /item/search?instanceName=testInstance

In this example, the Access Key ID is testAccessKey and the Access Key Secret is testKeySecrect. The final signature is as follows:

  1. acs testAccessKey:31nTIpResD/0C8gb+ChUeuvsxlw=

Add the signature to Authorization in the request header.

Thank you! We've received your feedback.