All Products
Search

This Product

    Elasticsearch:Signature mechanism

    Document Center

    Elasticsearch:Signature mechanism

    Last Updated:Jun 16, 2026

    Alibaba Cloud authenticates each API request by using a signature. All requests, whether sent over HTTP or HTTPS, must include a signature.

    Overview

    To sign a RESTful API request, add the Authorization parameter to the HTTP request header in the following format.

    Authorization:acs:AccessKeyId:Signature

    • acs: The abbreviation for Alibaba Cloud Service. This field is fixed.

    • AccessKeyId: The AccessKey ID used to call the API.

    • Signature: The signature generated by using an AccessKey secret to symmetrically encrypt the request.

    Calculate a signature

    The signature algorithm follows the HMAC-SHA1 specification defined in RFC 2104. The AccessKey secret is used to calculate the HMAC value of the encoded and sorted request string, producing a unique signature for each request.

    Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign)) )

    Calculate the signature as follows:

    1. Construct the string to be signed.

      The string to be signed (StringToSign) is constructed from the API request and includes the following components:

      • HTTP header

      • Alibaba Cloud protocol header (CanonicalizedHeaders)

      • Canonicalized resource (CanonicalizedResource)

      • Body

      The string to be signed must be constructed in the following order.

      StringToSign = 
       //HTTP header
        HTTP-Verb + "\n" +
        Accept + "\n" +
        Content-MD5 + "\n" +//MD5 hash of the body
        Content-Type + "\n" +
        Date + "\n" +
       //Alibaba Cloud protocol header (CanonicalizedHeaders)
        CanonicalizedHeaders +
       //Canonicalized resource
        CanonicalizedResource

      Example: Original request

      POST /stacks?name=test_alert&status=COMPLETE HTTP/1.1
Host: ***.aliyuncs.com
Accept: application/json
Content-MD5: ChDfdfwC+Tn874znq7Dw7Q==
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Date: Thu, 22 Feb 2018 07:46:12 GMT 
x-acs-signature-nonce: 550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method: HMAC-SHA1
x-acs-signature-version: 1.0
x-acs-version: 2016-01-02

      Example: Canonicalized request

      POST
application/json
ChDfdfwC+Tn874znq7Dw7Q==
application/x-www-form-urlencoded;charset=utf-8
Thu, 22 Feb 2018 07:46:12 GMT
x-acs-signature-nonce: 550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method:HMAC-SHA1
x-acs-signature-version:1.0
x-acs-version:2016-01-02
/stacks?name=test_alert&status=COMPLETE

    2. Add the signature.

      Add the calculated signature to the request header in the following format.

      Authorization: acs AccessKeyId:Signature

    HTTP header

    The signature calculation must include the following parameters, sorted in alphabetical order. If a parameter does not have a value, use \n.

    • Accept: The response type that the client expects. Valid values: application/json | application/xml.

    • Content-MD5: The 128-bit MD5 hash of the HTTP message body, converted to a Base64-encoded string.

    • Content-Type: The content type of the HTTP request body, as defined in RFC 2616.

    • Date: The GMT time specified in HTTP 1.1. Example: Wed, 05 Sep 2012 23:00:00 GMT.

      Note

      Do not include the parameter names (keys).

    Example: Original header

    Accept: application/json
Content-MD5: ChDfdfwC+Tn874znq7Dw7Q==
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Date: Thu, 22 Feb 2018 07:46:12 GMT

    Example: Canonicalized header

    application/json
ChDfdfwC+Tn874znq7Dw7Q==
application/x-www-form-urlencoded;charset=utf-8
Thu, 22 Feb 2018 07:46:12 GMT

    Alibaba Cloud protocol header (CanonicalizedHeaders)

    CanonicalizedHeaders are non-standard HTTP headers prefixed with x-acs-. The request must include the following parameters:

    • x-acs-signature-nonce: A unique random number used to prevent replay attacks. Use a different random value for each request.

    • x-acs-signature-version: The signature version. The value is 1.0.

    • x-acs-version: The API version number.

    Construct the Alibaba Cloud canonicalized headers as follows:

    1. Convert the names of all HTTP request headers prefixed with x-acs- to lowercase. For example, convert X-acs-OSS-Meta-Name: TaoBao to x-acs-oss-meta-name: TaoBao.

    2. Sort all the HTTP headers from the previous step in alphabetical order by name.

    3. Remove any spaces around the separator in the request header. For example, x-acs-oss-meta-name: TaoBao,Alipay is transformed into x-acs-oss-meta-name:TaoBao,Alipay.

    4. Join all headers and their values with the "\n" separator to create the final CanonicalizedHeaders string.

    Example: Original header

    x-acs-signature-nonce: 550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method: HMAC-SHA1
x-acs-signature-version: 1.0
x-acs-version: 2016-01-02GMT

    Example: Canonicalized header

    x-acs-signature-nonce:550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method:HMAC-SHA1
x-acs-signature-version:1.0
x-acs-version:2016-01-02

    Canonicalized resource (CanonicalizedResource)

    CanonicalizedResource is the canonical representation of the resource being accessed. Sort all sub-resources and query parameters after the ? in ascending alphabetical order, and then join them with an ampersand (&) to produce the resource string.

    Example: Original request

    /stacks?status=COMPLETE&name=test_alert

    Example: Canonical Request

    /stacks?name=test_alert&status=COMPLETE

    Body

    Hash the request body using the MD5 algorithm, and then Base64-encode the result. Add the final string to the Content-MD5 header.