ApsaraVideo Live authenticates each access request. Therefore, a request must contain signature information regardless of whether it is sent over HTTP or HTTPS. ApsaraVideo Live implements symmetric encryption by using an AccessKey pair that consists of an AccessKey ID and an AccessKey secret to verify the identity of the request sender. AccessKey pairs are issued by Alibaba Cloud. You can visit the Alibaba Cloud International site (alibabacloud.com) to apply for and manage an AccessKey pair. The AccessKey ID is used to verify the identity of the user, whereas the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential.
Note Alibaba Cloud provides ApsaraVideo Live SDKs and supports third-party SDKs in multiple languages, which helps you calculate request signatures. For more information about Alibaba Cloud SDKs, see Alibaba Cloud SDKs.

Sign a request

Perform the following steps to sign an API request:

  1. Construct and encode a canonicalized query string.
    1. Arrange all the request parameters.
      Construct a string by arranging the request parameters in alphabetical order. Include all common and operation-specific parameters except the Signature parameter.
      Note When you use the GET method to submit a request, the request parameters are included as a part of the uniform resource identifier (URI). The request parameters in the URI are placed after the question mark (?) and separated by ampersands (&).
    2. Encode the name and value of each request parameter.
      URL encode all the request parameter names and values in UTF-8 based on the following rules:
      • Uppercase letters, lowercase letters, digits, and some special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) are not encoded.

      • Other characters are percent encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.

      • Extended UTF-8 characters are encoded in the %XY%ZA… format.

      • Spaces must be encoded as %20. Do not encode spaces as plus signs (+).

        This encoding method is similar to but different from the application/x-www-form-urlencoded Multipurpose Internet Mail Extensions (MIME) encoding algorithm, such as the java.net.URLEncoder class provided by the Java standard library. You can encode the parameter names and values by using the encoding method in the Java standard library. In the encoded string, replace the plus signs (+) with %20, asterisks (*) with %2A, and %7E with tildes (~) to obtain an encoded string that complies with the preceding encoding rules. You can use the following percentEncode() method to implement the encoding:

        private static final String ENCODING = "UTF-8";
        private static String percentEncode(String value) throws UnsupportedEncodingException {
        return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
    3. Sort the parameter name and value pairs in the order specified in Step i. Then, concatenate the pairs with ampersands (&) to construct the canonicalized query string.
  2. Construct a string-to-sign from the encoded canonicalized query string based on the following rules:
    HTTPMethod + "&" +
    percentEncode("/") + "&" +
    In the preceding string,
    • HTTPMethod indicates the HTTP method used to submit a request, such as GET.

    • percentEncode("/") encodes backslashes (/) as %2F based on the URL encoding rule described in Step ii.

    • percentEncode(CanonicalizedQueryString) specifies the encoded string of the canonicalized query string constructed in Step 1. The encoded string is produced by following the URL encoding rules described in Step 1.ii.

  3. Calculate the RFC 2104-compliant HMAC value of the string-to-sign.
    Note Use the SHA1 algorithm to calculate the HMAC value of the string-to-sign. Your AccessKey secret followed by an ampersand (&) (ASCII code 38) is used as the key for the HMAC calculation.
  4. Encode the HMAC value in Base64 to obtain the signature string.
  5. Add the signature string to the request as the Signature parameter. The result is a signed API request.
    Note When the signature string is submitted to ApsaraVideo Live as the final request parameter value, the value must be URL-encoded in the same way as other parameters based on rules defined in RFC 3986. For more information, see RFC 3986.


Take a DescribeLiveSnapshotConfig API request as an example, where the following sample request URL is to be signed:
The following string is the string-to-sign:
Assume that the AccessKey ID is testId, the AccessKey secret is testsecret, and the key used for HMAC calculation is testsecret&. The following string is the signature string that is calculated:
The following URL is the signed request URL after the signature string is added to the request as the Signature parameter: