Each time Elastic Desktop Service (EDS) receives an HTTP or HTTPS request, the EDS system verifies the identity of the requester based on the signature in the request. Alibaba Cloud uses an AccessKey pair to perform symmetric encryption and verify the identity of the requester.


You must add a signature to a remote procedure call (RPC) API request in the following format:

Parameter description:
  • SignatureMethod: the method that is used to calculate the signature. Set the value to HMAC-SHA1.
  • SignatureVersion: the version of the signature algorithm. Set the value to 1.0.
  • SignatureNonce: a unique, random number that is used to prevent replay attacks. You must use random numbers for each request. We recommend that you use UUIDs.
  • Signature: the signature that is generated after the request is symmetrically encrypted by using the AccessKey secret.
Calculate the hash-based message authentication code (HMAC) value of the StringToSign based on RFC 2104. Use the Secure Hash Algorithm 1 (SHA-1) algorithm to calculate the HMAC value. In this example, the Java Base64 encoding method is used.
Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign)) )
Note When you calculate the signature, the key value that is defined by RFC 2104 is the AccessKey secret followed by an ampersand (&) whose ASCII value is 38. For more information, see Obtain an AccessKey pair.

Step 1: Create a signature string

  1. Create a canonicalized query string by using parameters in a request.
    1. Specify parameters in the request, including all common and operation-specific parameters, in alphabetical order. The Signature parameter is excluded from the request.
      Note If you use the GET method to submit a request, the parameters that follow question marks (?) and are connected by ampersands (&) in the request uniform resource identifier (URI) are request parameters.
    2. URL encode the parameter names and values of the request based on UTF-8. The following table describes encoding rules.
      Character Encoding rule
      Letters, digits, hyphens (-), underscores (_), periods (.), and tildes (~) None
      Other characters These characters are encoded in the %XY format. XY indicates the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      Extended UTF-8 characters These characters are encoded in the %XY%ZA… format.
      Spaces Spaces are encoded as %20, instead of plus signs (+).
      This encoding method is different from the Multipurpose Internet Mail Extensions (MIME) encoding algorithm application/x-www-form-urlencoded, such as the java.net.URLEncoder class that is provided by the Java standard library. You can encode spaces based on the encoding rule for the Java standard library, and then replace the plus sign (+) in the encoded string with %20, the asterisk (*) with %2A, and the tilde (~) with %7E. You can use the following percentEncode method to implement the algorithm:
      private static final String ENCODING = "UTF-8";
      private static String percentEncode(String value) throws UnsupportedEncodingException 
      return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
    3. Connect the encoded parameter names and values by using equal signs (=).
    4. Sort the connected parameter name and value pairs in the order specified in Step i. Then, connect the pairs with ampersands (&) to construct the canonicalized query string.
  2. Encode the canonicalized query string to a signature to sign.
    Use the following rules and percentEncode to encode the canonicalized query string constructed in Step 1 in this section.
      HTTPMethod + "&" +
      percentEncode("/") + "&" +
    • HTTPMethod: the HTTP method, such as GET, to send the request.
    • percentEncode("/"): the value obtained after the forward slash (/) is encoded based on UTF-8 and RFC 3986. The value is %2F.
    • percentEncode(CanonicalizedQueryString): the string obtained after the canonicalized query string is encoded based on UTF-8 and RFC 3986.

Step 2: Calculate the signature to sign

  1. Calculate the HMAC value of the signature to sign (the StringToSign parameter) based on RFC 2104.
    Note Use the SHA1 algorithm to calculate the HMAC value. Your AccessKey secret followed by an ampersand (&) is used as the key for the HMAC calculation. The ASCII value of an ampersand is 38.
  2. Encode the HMAC value as a string by following Base64 encoding rules. Then, you can obtain the signature.
  3. Add the signature to the request as the value of the Signature parameter.
    Note The final signature that you want to send in the request must be URL encoded based on RFC 3986.


In the following example, the DescribeDesktops operation is used. If the AccessKey ID is testid and AccessKey secret is testsecret, the following example shows the request URL before you sign a signature.


Use the preceding URL to construct the signature string to sign by following the preceding rules, and then use testsecret& as the key. The calculated signature is:


Add the signature string to the request as the value of the Signature parameter, and URL encode the request based on RFC 3986. The following URL is returned: