All Products
Search
Document Center

Marketplace:SPI security token

Last Updated:Jun 03, 2026

SaaS service providers on Alibaba Cloud Marketplace must implement the Service Provider Interface (SPI) to handle product provisioning. After a customer purchases a product, Alibaba Cloud Marketplace sends a callback to the provider's SPI implementation, which creates an application instance to provide the service. Every SPI call requires authentication through a security token.

Applicable products

Applies to SaaS products that use the active push SPI method.

Token generation

Validate every incoming API call by using the SPI security token, which is the `token` parameter in the URL.

To generate the token: retrieve all HTTP GET parameters except `token`, sort them alphabetically by name, append `&key={service_provider_security_key}`, and compute the MD5 hash of the resulting string.

Note

Alibaba Cloud Marketplace may add other parameters to API calls. When verifying the signature, use all URL parameters except the token parameter and generate the token as specified.

Token validation example

Example request to a service provider API:

https://example.aliyundoc.com/api?p1=xxx&p2=xxx&p3=xxx&token=xxx

Example code for token validation:

 /**
 * Verifies the token.
 * @param parameters The SPI parameters for the instance lifecycle.
 * @param secretKey The service provider's secret key.
 * @param receivedToken The received token.
 * @return The verification result. `true` indicates success, and `false` indicates failure.
 * @throws Exception
 */
private boolean verifyToken(Map<String, String> parameters, String secretKey, String receivedToken) throws Exception {
    // Calculate the expected token.
    String expectedToken = computeToken(parameters, secretKey);

    // Compare the received token with the expected token.
    return expectedToken.equals(receivedToken);
}

 /**
     * Generates the token.
     * @param parameters The SPI parameters for the instance lifecycle, such as {"p1":"xxx","p2":"xxx","p3":"xxx"}.
     * @param secretKey The service provider's secret key.
     * @return The generated token.
     * @throws Exception
     */
  private String computeToken(Map<String, String> parameters, String secretKey) throws Exception {
        String[] sortedKeys = parameters.keySet().toArray(new String[]{});
        Arrays.sort(sortedKeys);

        StringBuilder queryString = new StringBuilder();
        for (String key : sortedKeys) {
            queryString.append(key).append("=").append(parameters.get(key)).append("&");
        }

        queryString.append("key").append("=").append(secretKey);
        String token = DigestUtils.md5DigestAsHex(queryString.toString().getBytes(Charsets.UTF_8));
        log.info("token: {}", token);
        return token;
  }