You must sign all API requests to ensure security. Alibaba Cloud uses the request signature to verify the identity of the API caller. DLA implements symmetric encryption with an AccessKey pair to verify the identity of the request sender. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.

Notice Signatures are not required when you use an SDK to send requests.

Step 1: Create a canonicalized query string

  1. Create a canonicalized query string by arranging the request parameters (including all common and operation-specific parameters except Signature) in alphabetical order. If you use the GET method to send a request, the canonicalized query string is only made up of the parameters and does not include "https://endpoint/?". The parameters are separated by ampersands (&).
  2. Encode the canonicalized query string in UTF-8. Follow the RFC 3986 specification to encode parameters and their values. Encoding rules:
    • Uppercase letters, lowercase letters, digits, and some special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
    • Other characters must be percent encoded in %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
    • Extended UTF-8 characters are encoded in %XY%ZA… format.
    • Spaces must be encoded as %20. Do not encode spaces as plus signs (+). The preceding encoding scheme is slightly different from the application/x-www-form-urlencoded MIME-type encoding algorithm.

      If you use in the Java standard library, use percentEncode to encode request parameters and their values. In the encoded query string, replace the plus sign (+) with %20, the asterisk (*) with %2A, and %7E with a tilde (~). This way, you can obtain an encoded string that matches the preceding encoding rules.

    private static final String ENCODING = "UTF-8";
    private static String percentEncode(String value) throws UnsupportedEncodingException {
    return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
  3. Separate the encoded parameter names from their encoded values with equal signs (=).
  4. Separate the name-value pairs with ampersands (&).

Then, the canonicalized query string is created.

Step 2: Create a string-to-sign from the encoded canonicalized query string

Create a string-to-sign. You can also use percentEncode to encode the canonicalized query string that is created in the previous step. Comply with the following rules to create a string-to-sign:
  HTTPMethod + "&" + //HTTPMethod: the HTTP method that is used to send a request, such as GET.
  percentEncode("/") + "&" + //percentEncode("/"): Encode the forward slash (/) in UTF-8 as %2F.
  percentEncode(CanonicalizedQueryString) //Encode the canonicalized query string created in Step 1.
Calculate the hash-based message authentication code (HMAC) value of the string-to-sign, as defined in RFC 2104. Use the Secure Hash Algorithm 1 (SHA-1) algorithm to calculate the HMAC value. The Java Base64 encoding scheme is used in this example.
Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign) ) )

When you calculate the signature, the key value specified by RFC 2104 is your AccessKey secret with an ampersand (&) which has an ASCII value of 38. The calculation result is encoded based on the signature rule specified in RFC 3986 and then added to the URL of the canonicalized query string that you created in Step 1.


The following example demonstrates the signature process when you want to query the status of a job by calling the GetJobStatus operation. In this example, the AccessKey ID you obtained is xxx and the AccessKey secret you obtained is yyy.

  1. Create a canonicalized query string. Note that the signature nonce is a random string.
  2. Create a string-to-sign.
  3. Calculate the signature. The value of AccessKey secret is yyy, and therefore the key used for calculation is yyy&. The calculated signature is DR5p4dbFur6ad****Iq8uH4sW6w=. The Java Base64 encoding scheme is used in this example.
    Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign) ) )
  4. Encode the calculated signature as Signature=DR5p4dbFur6adTbYPIq8uH4sW6w%3D based on the encoding rules specified in RFC 3986 Then, add Signature=DR5p4dbFur6ad****Iq8uH4sW6w%3D to the URL.

    You can use browsers or tools such as cURL or wget to send HTTP requests based on the new URL.