You must sign all API requests to ensure security. Alibaba Cloud uses the request signature to verify the identity of the API caller.


A signature consists of two parts: common request header and CanonicalizedResource. The request body is not included in the signature. The common request header contains HTTP header parameters and Alibaba Cloud protocol header parameters.

AccessKey pairs are issued by Alibaba Cloud. You can visit the official Alibaba Cloud website to apply for and manage an AccessKey pair. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to verify the identity of the user, while the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential.

Container Registry verifies each access request it receives. Therefore, all requests sent to Container Registry must contain signature information. Container Registry implements symmetric encryption with an AccessKey pair that consists of an AccessKey ID and an AccessKey secret to verify the identity of the request sender. If the calculated verification code is the same as the one provided, the request is considered valid. Otherwise, Container Registry rejects the request and returns the HTTP error code 403.

You must add the signature to the HTTP header in the following format: Authorization: acs [Access Key Id]:[Signature].

Signature calculation method

The following shows how to calculate the signature:

Signature = base64(hmac-sha1(VERB + "\n"
            + ACCEPT + "\n" +
            + Content-MD5 + "\n"
            + Content-Type + "\n"
            + Date + "\n"
            + CanonicalizedHeaders + "\n"
            + CanonicalizedResource))
  • VERB indicates the HTTP method. Example: PUT.
  • Accept indicates the response type required by the client. Valid values: application/json and application/xml.
  • Content-MD5 indicates the MD5 hash value of the request content.
  • Content-Type indicates the type of request content.
  • Date indicates the time when the request was sent. This parameter is required. The time must be in GMT. If the deviation between the time when a request was sent and the time when the request was received exceeds 15 minutes, the system determines that the request is invalid and returns the error code 400. Example: Thu, 17 Mar 2018 18:00:00 GMT.
  • CanonicalizedHeaders indicates the header fields that are prefixed with x-acs- in the request.
  • CanonicalizedResource indicates the URI of the requested resource. Example: /namespaces.


CanonicalizedHeaders (headers that start with x-acs-) must comply with the following specifications before the signature is verified:

  1. Convert the names of all HTTP request headers prefixed with x-acs- into lowercase letters. For example, you must convert X-ACS-Meta-Name: TaoBao into x-acs-meta-name: TaoBao. Header field names are case-insensitive. We recommend that you use lowercase letters.
  2. If a header field value is too long, replace specific delimiters with spaces. The delimiters include \t, \n, \r, and \f.
  3. Sort all HTTP request headers that are obtained from the preceding step in alphabetical order.
  4. Delete all spaces on each side of a delimiter between the request header and its content. For example, convert x-acs-meta-name: TaoBao,Alipay into x-acs-meta-name:TaoBao,Alipay.
  5. Separate all headers and content with delimiters \n to form the final CanonicalizedHeaders.


CanonicalizedResource represents the specification description of the resource to be accessed. Sort sub-resources along with query parameters in alphabetical order and separate them with ampersands (&) to generate a sub-resource string. The sub-resource string consists of all parameters that follow the question mark (?).

The value of CanonicalizedResource must be the following string:

/repository? name=repository1&namespace=namespace1