Media Processing performs identity authentication on each access request. Therefore, both the HTTP and HTTPS request must contain signature information. MPS uses symmetric encryption with a pair of Access Key ID and Access Key Secret to authenticate the identity of a request sender. Access Key ID and Access Key Secret are officially issued by Alibaba Cloud to visitors (visitors can apply for and manage them at Alibaba Cloud’s official website). The Access Key ID indicates the identity of the visitor. The Access Key Secret is the secret key used to encrypt and verify the signature string on the server. It must be kept confidential and should only be available to Alibaba Cloud and the user.

Follow these steps to sign the access request:

  1. Construct the Canonicalized Query String using the request parameters.
    1. The request parameters are ordered alphabetically by parameter name (this includes the “public request parameters” and custom parameters for the given request APIs described in this document, but not the Signature parameter mentioned in “public request parameters”).
      Note For a request submitted using the GET method, these parameters constitute the parameter section of the request URI (that is, the section in the URI following ? and connected by &.
    2. Encode the name and value of each request parameter. URL encoding using the UTF-8 character set is required. URL encoding rules are as follows:
      • The letters (A–Z and a–z), the numerals (0–9), and the characters, hyphen -, underscore _, period ., and tilde ~ are not encoded.
      • Other characters are encoded into %XY format, where XY represents the characters’ ASCII code in hexadecimal notation. For example, the double quotes (“) are encoded as %22.
      • Extended UTF-8 characters are encoded into the %XY%ZA…
      • Note that an English space ( ) is encoded into %20 rather than the plus sign (+).
        Note Generally, libraries that support URL encoding (for example, of Java) are all encoded according to the rules for the application/x-www-form-urlencoded MIME-type. You can use this encoding method directly by replacing the plus sign (+) with %20 and the asterisk (*) with %2Ain the encoded string, and change %7E back to the tilde (~) to conform to the preceding encoding rules.
    3. Connect the encoded parameter names and values with the equal sign (=).
    4. Then, sort the parameter name and value pairs connected by equal sign in alphabetical order, and connect them with & to produce the Canonicalized Query String.
  2. The following example shows the pseudocode to create a canonical request.
    HTTPMethod + "&" +
    percentEncode("/") + "&" +

    Here, HTTPMethod is the HTTP method used for request submission, for example, GET.

    percentEncode(“/“) is the coded value for the character / according to the URL encoding rules described in 1.b, namely, %2F.

    percentEncode(CanonicalQueryString) is the Canonicalized Query String (constructed in Step 1) that is encoded according to the URL encoding rules described in 1.b.

  3. According to RFC2104 definitions, use the preceding signature string to calculate the signature’s HMAC value.
    Note The Key used for calculating the signature is the "Access Key Secret" held by the user, ending with the & character (ASCII:38) based on the SHA1 hashing.
  4. Encode the HMAC value into a string based on Base64 encoding rules to obtain the signature.
  5. Add the obtained signature value as the Signature parameter to the request parameters to complete the request signing process.
    Note The obtained signature value requires URL encoding based on the RFC3986 rule like other parameters before it is submitted as the final request parameter value to the Media Transcoding server.
Using SearchTemplate as an example, the request URL before signing is:
herefore, the Canonicalized Query String is:
Thus, the StringToSign is:
Assume that the Access Key ID parameter value is testId and, the Access Key Secret parameter value is testKeySecret, then, the key used for HMAC calculation is testKeySecret& and the calculated signature value is:
The signed request URL is (with the Signature parameter added):

For more information about code, see Call an API.