All Products
Search

This Product

    ApsaraMQ for MQTT:Signature mechanism

    Document Center

    ApsaraMQ for MQTT:Signature mechanism

    Last Updated:Jun 16, 2026

    Alibaba Cloud authenticates each API request by verifying a signature. All requests must include signature information, regardless of whether they use HTTP or HTTPS.

    Overview

    For RPC API requests, add a signature to the query parameters in the following format.

    https://Endpoint/?SignatureVersion=1.0&SignatureMethod=HMAC-SHA1&Signature=CT9X0VtwR86fNWSnsc6v8YGOjuE%3D&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf
    • EndpointApsaraMQ for MQTT: The API endpoint for ApsaraMQ for MQTT is onsmqtt.[regionId].aliyuncs.com. For more information about [regionId], see Endpoints.
    • SignatureMethod: The signature method. The supported method is HMAC-SHA1.
    • SignatureVersion: The version of the signature algorithm. The current version is 1.0.
    • SignatureNonce: A unique random number used to prevent replay attacks. Each request must use a different random number. We recommend that you use a universally unique identifier (UUID).
    • Signature: The signature generated from your AccessKey secret.
    The signature algorithm follows the RFC 2104 HMAC-SHA1 specification. The signature is the HMAC value of the encoded and sorted request string, calculated using your AccessKey secret. Because each API request has different content, the signature varies accordingly. To calculate the signature, follow the steps in this topic.
    Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign)) )

    Step 1: Construct the string to be signed

    1. Construct a canonicalized query string from the request parameters.
      1. Sort all request parameters alphabetically by parameter name. These parameters include both common request parameters and operation-specific parameters, but exclude the `Signature` parameter.
        Note If you submit a request using the GET method, these parameters are the part of the request URI that follows the question mark (?) and are separated by ampersands (&).
      2. Encode the names and values of the sorted request parameters in UTF-8 using URL encoding. The following table describes the encoding rules.
        Character Encoding method
        A-Z, a-z, 0-9, and the characters -, _, ., and ~ Do not encode.
        Other characters Encode into the %XY format. XY represents the hexadecimal value of the character's ASCII code. For example, a double quotation mark (") is encoded as %22.
        Extended UTF-8 characters Encode into the %XY%ZA… format.
        Space Encode as %20 instead of a plus sign (+).
        This encoding method differs from the standard application/x-www-form-urlencoded MIME format used by libraries such as java.net.URLEncoder. To produce the required encoding, you can use a standard library and then replace the plus signs (+) with %20, asterisks (*) with %2A, and %7E with tildes (~). The following percentEncode method shows an implementation of this algorithm:
        private static final String ENCODING = "UTF-8";
private static String percentEncode(String value) throws UnsupportedEncodingException 
{
return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
}
      3. Connect the encoded parameter names and values with equal signs (=).
      4. Connect the resulting parameter-value pairs with ampersands (&) in the order that they were sorted. The resulting string is the canonicalized query string.
    2. Use the canonicalized query string from the previous step to construct the string-to-sign based on the following rules.
      StringToSign=
      HTTPMethod + "&" +
      percentEncode("/") + "&" +
       percentEncode(CanonicalizedQueryString)

      Where:

      • HTTPMethod is the HTTP method used to submit the request, such as GET.
      • percentEncode("/") is the encoded value of the forward slash (/) character based on the URL encoding rules described previously. The value is %2F.
      • percentEncode(CanonicalizedQueryString) is the encoded canonicalized query string based on the URL encoding rules described previously.

    Step 2: Calculate the signature value

    1. Calculate the HMAC value of the string-to-sign (StringToSign) as defined in RFC 2104.
      Note The key used for the calculation is your AccessKey secret appended with an ampersand (&) character (ASCII code 38). The hash algorithm is SHA1.
    2. Encode the HMAC value as a string based on Base64 rules. The resulting string is the signature (Signature).
    3. Add the calculated signature to the request parameters as the Signature parameter.
      Note When you add the signature to the request as the final request parameter, it must be URL-encoded in the same way as other parameters in accordance with RFC 3986.

    Example

    This section uses the DescribeRegions operation as an example. Assume that AccessKeyId is testid and AccessKey secret is testsecret. The unsigned request URL is as follows:

    http://ecs.aliyuncs.com/?Timestamp=2016-02-23T12%3A46:24Z&Format=XML&AccessKeyId=testid&Action=DescribeRegions&SignatureMethod=HMAC-SHA1&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&Version=2014-05-26&SignatureVersion=1.0

    The signature calculated using testsecret& as the key is:

    OLeaidS1JvxuMvnyHOwuJ+uX5qY=

    Add the signature to the request URL as the value of the Signature parameter. The final URL is:

    http://ecs.aliyuncs.com/?SignatureVersion=1.0&Action=DescribeRegions&Format=XML&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&Version=2014-05-26&AccessKeyId=testid&Signature=OLeaidS1JvxuMvnyHOwuJ+uX5qY=&SignatureMethod=HMAC-SHA1&Timestamp=2016-02-23T12%3A46%3A24Z