Generate request signatures to call the Content Moderation API - Content Moderation - Alibaba Cloud - AI Guardrails

Sign each AI Guardrails API request with your AccessKey secret to authenticate the call. HMAC-SHA1 (default) and HMAC-SM3 are supported.

AI Guardrails SDKs handle signing automatically. If you use an SDK, skip this page. For SDK setup instructions, see the guides for Java, Python, PHP, Go, and .NET.

How it works

Both algorithms follow the same four-step flow. The only difference is in step 3: HMAC-SHA1 includes the Content-MD5 header in the string-to-sign; HMAC-SM3 does not.

# Step 1 – Serialize x-acs-* headers (both algorithms)
SerializedHeaders = sort_alphabetically(x-acs-headers)
                    formatted as "<name>:<value>\n" each

# Step 2 – Serialize URI (both algorithms)
SerializedURI = uri + "?clientInfo=" + JSON(clientInfo)

# Step 3 – Build string-to-sign
# HMAC-SHA1
StringToSign = "POST\n" + "application/json\n" + ContentMD5 + "\n"
             + "application/json\n" + Date + "\n"
             + SerializedHeaders + "\n" + SerializedURI

# HMAC-SM3 (no ContentMD5 line)
StringToSign = "POST\n" + "application/json\n" + Date + "\n"
             + SerializedHeaders + "\n" + SerializedURI

# Step 4 – Generate signature (both algorithms)
HMACValue     = HMAC-<ALGORITHM>(key=AccessKeySecret, data=StringToSign)
Signature     = Base64(HMACValue)
Authorization = "acs " + AccessKeyId + ":" + Signature

Sign with HMAC-SHA1

Step 1: Serialize request headers

Build a string from all HTTP headers whose names start with x-acs-:

Extract every HTTP header whose name starts with x-acs-.
Sort the extracted headers in alphabetical order.
Format each header as <header-name>:<header-value>\n.
Concatenate all formatted headers into a single string.

Step 2: Serialize the URI and query parameters

Concatenate the URI and the clientInfo query parameter in the following format:

uri + "?clientInfo=" + <JSON string of clientInfo>

Do not URL-encode this string.

Step 3: Build the string-to-sign

Concatenate the following fields, each separated by a newline character (\n):

POST                              ← HTTP method
application/json                  ← Content-Type
<Value of Content-MD5 header>     ← Content-MD5 hash of the request body
application/json                  ← Accept header
<Value of Date header>            ← Request timestamp
<Serialized request headers>      ← Output from step 1
<Serialized URI and parameters>   ← Output from step 2

Example — string-to-sign for a synchronous image moderation call:

POST
application/json
C+5Y0crpO4sYgC2DNjycug==
application/json
Tue, 14 Mar 2017 06:29:50 GMT
x-acs-signature-method:HMAC-SHA1
x-acs-signature-nonce:339497c2-d91f-4c17-a0a3-1192ee9e2202
x-acs-signature-version:1.0
x-acs-version:2018-05-09
/green/image/scan?clientInfo={"ip":"127.xxx.xxx.2","userId":"12023xxxx","userNick":"Mike","userType":"others"}

Step 4: Generate the signature string

Calculate the HMAC-SHA1 value of the string-to-sign using your AccessKey secret as the key. The result is a byte array — do not transform it before the next step.
Encode the byte array in Base64 to get the signature string.
Set the Authorization header to:
There is a single space between acs and <AccessKeyId>.
```
acs <AccessKeyId>:<signature>
```

Sign with HMAC-SM3