All Products
Document Center


Last Updated: May 28, 2018

The API signature consists of two parts: common request headers (HTTP header parameters and Alibaba Cloud protocol header parameters) and canonicalized resource. The message body is not included in the signature.

The AccessKey ID and AccessKey Secret are officially issued to visitors by Alibaba Cloud (visitors can apply for and manage them at Alibaba Cloud official website). The AccessKey ID indicates the identity of the visitor. The AccessKey Secret is the secret key used to encrypt and verify the signature string on the server. It must be kept confidential and only be known to Alibaba Cloud and the user.

The system verifies each access request it receives. Therefore, all requests must contain the signature information. The system performs symmetric encryption by using the AccessKey Id and AccessKey Secret to verify the identity of request senders. If the calculated verification code is the same as the one provided, the request is considered as valid. Otherwise, the request is rejected, and HTTP 403 error is returned.

The request requires a signature being included in the HTTP header in the format of Authorization: acs [accessKeyId]:[Signature].

Signature calculation method

The signature calculation method is as follows:

  1. Signature = base64(hmac-sha1(VERB + "\n"
  2. + ACCEPT + "\n" +
  3. + Content-MD5 + "\n"
  4. + Content-Type + "\n"
  5. + Date + "\n"
  6. + CanonicalizedHeaders + "\n"
  7. + CanonicalizedResource))
  • VERB indicates the HTTP method, for example, PUT.
  • Accept indicates the type of returned value required by the user, application/json and application/xml are supported.
  • Content-MD5 indicates the MD5 value of the requested content.
  • Content-Type indicates the type of the requested content.
  • Date indicates the operation time, which cannot be null. Currently, only the GMT format is supported. For example, Thu, 17 Mar 2018 18:00:00 GMT. If the difference between the request time and the server time exceeds 15 minutes, system considers the request as invalid and returns error 400.
  • CanonicalizedHeaders indicates a combination of fields started with x-acs- in the HTTP request.
  • CanonicalizedResource indicates the uniform resource identifier (URI) of the resource in the HTTP request. For example, /namespaces.

Canonicalized headers

Before signature verification, canonicalized headers (headers started with x-acs-) must meet the following specifications:

  1. Convert the names of all HTTP request headers started with x-acs- to lowercase letters. For example, convert X-ACS-Meta-Name: TaoBao to x-acs-meta-name: TaoBao. According to Alibaba Cloud specifications, the names of request headers are case-insensitive. However, we recommend that you use the lowercase letters.

  2. If the value part of a common request header is too long, replace the \t, \n, \r, and \f separators with spaces.

  3. All HTTP request headers obtained in the previous step and compliant with Alibaba Cloud specifications are sorted in the ascending alphabetical order.

  4. Delete any space at either side of a separator between request header and content. For example, convert x-acs-meta-name: TaoBao,Alipay to x-acs-meta-name:TaoBao,Alipay.

  5. Separate all headers and contents with the \n separator to form the final canonicalized headers.

Canonicalized resource

Canonicalized resource indicates that the user wants to access the resource’s specification description. Sort sub-resources and query in the ascending alphabetical order, and separate them by using the & separator to generate a sub-resource string (all parameters after ?).


Canonicalized resource format is as follows:

  1. /repository?name=repository1&namespace=namespace1