All Products
Document Center

BSS OpenAPI:Signature

Last Updated:Mar 11, 2022

BSS OpenAPI authenticates each request for accessing the service. Therefore, HTTP- or HTTPS-based requests must contain signature information. BSS OpenAPI uses the AccessKeyID and AccessKeySecret to perform symmetric encryption and authenticate requests. You can request the AccessKeyID and AccessKeySecret and manage them on the Alibaba Cloud website. The AccessKeyID uniquely identifies a user. The AccessKeySecret encrypts your signature on the client and decrypts it on the server. For security reasons, make sure that your AccessKeySecret is not available to others.

To sign the request, follow these steps:

1. Use request parameters to construct the canonicalized query string.

  • Sort all request parameters alphabetically by the parameter names. The request parameters include common request parameters and specified custom parameters of the corresponding operation. This does not include the Signature parameter of common request parameters.Note: When you use the GET method to make a request, these parameters are specified in the URI of the request, which are the sections following - Encode the name and value of each request parameter in UTF-8. The UTF-8 encoding rules are as follows:

    • i. The letters A-Z and a-z, numbers 0-9, hyphens (-), underscores (_), periods (.), and tildes (~) are not encoded.

    • ii. Other characters are encoded in the format of %XY, where XY indicates the ASCII code of the character in hexadecimal notation. For example, the double quotes (“) are encoded as %22.

    • iii. Extended UTF-8 characters are encoded in the %XY%ZA format.

    • iv. Spaces ( ) are encoded as %20, instead of the plus sign (+).Note: The libraries that support URL encoding, such as in Java, are all encoded based on the rules for the Multipurpose Internet Mail Extensions (MIME) type of application/x-www-form-urlencoded. To use this encoding method, replace the plus signs (+) in the encoded strings with %20 and asterisks (*) with %2A, and change %7E back to the tilde (~).

  • Connect the encoded parameter names and values with equal signs (=).

  • Sort the parameter name and value pairs connected with equal signs (=) alphabetically by the parameter names, and connect them with ampersands (&) to make the canonicalized query string.

2. Use the canonicalized query string to construct the string used for signature calculation based on the following rules:

percentEncode(HTTPMethod) + "&" +
percentEncode("/") + "&" +

The HTTPMethod parameter is the HTTP method, such as GET, that is used to submit a request.

The percentEncode (“/“) string is the encoded value for the slash (/) based on the URL encoding rules described in section 1.b, which is %2F.The percentEncode (CanonicalizedQueryString) string is the result of encoding the canonicalized query string constructed in step 1 based on the URL encoding rules described in section 1.b.

3. Use the preceding signature string to calculate the Hash-based Message Authentication Code (HMAC) value of the signature by following the RFC2104rules.


The Key that is used for calculating the signature is your AccessKeySecret and an ampersand (&, ASCII: 38) based on the SHA1 hashing.

4. According to the Base64 encoding rules, encode the preceding HMAC value into a string, which is the signature value.

5. Specify the Signature parameter as the preceding signature value to sign the request.

Please note: When you submit the signature value to the ACCOUNT server as the final request parameter value, you must encode the signature value in the URL in the same way as other parameters by following the RFC3986 rules.