Generate a signature for API requests - Optimization Solver

To ensure secure API calls, Alibaba Cloud authenticates each API request with a signature. All requests, whether submitted over HTTP or HTTPS, must include a signature.

Overview

You can add a signature to the query of a Remote Procedure Call (RPC) API request in the following format.

https://opt.cn-beijing.aliyuncs.com/
?SignatureVersion=1.0
&Action=GetOpenStatus
&Format=JSON
&SignatureNonce=c0eda6ff-a727-496e-a2bd-d9a7ff4803c11629267192400268
&Version=2021-07-30
&AccessKeyId=LTAI****************
&Signature=t0wVIEI7kZpOin+o4zhguQ8I****
&SignatureMethod=HMAC-SHA1
&Timestamp=2021-08-18T06:13:12Z

Where:

SignatureMethod: The method used to generate the signature. HMAC-SHA1 is supported.
SignatureVersion: The version of the signature algorithm. The current version is 1.0.
SignatureNonce: A unique random number used to prevent replay attacks. You must use a different random number for each request. We recommend that you use a universally unique identifier (UUID).
Signature: The signature that is generated using an AccessKey secret.

The signature algorithm complies with the RFC 2104 HMAC-SHA1 specification. It uses the AccessKey secret to calculate the HMAC value of the encoded and sorted request string. This value serves as the signature. Because the signature is calculated based on the request parameters, each API request has a unique signature. To calculate a signature, follow the steps in this topic.

Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign)) )

Step 1: Create the string to be signed

Use the request parameters to create a canonicalized query string.

Sort all request parameters in alphabetical order by parameter name. The parameters include common request parameters and operation-specific parameters, excluding the Signature parameter.
Note
When you submit a request using the GET method, these parameters are the part of the request URI that follows the question mark (?) and are connected by ampersands (&).

URL-encode the names and values of the sorted request parameters using the UTF-8 character set. For the encoding rules, see the following table.

Character	Encoding method
A-Z, a-z, 0-9, and the characters -, _, ., ~	Do not encode.
Other characters	Encode into the `%XY` format. `XY` is the hexadecimal representation of the character's ASCII code. For example, a double quotation mark (") is encoded as `%22`.
Extended UTF-8 characters	Encode into the `%XY%ZA...` format.
Space	Encode as `%20`, not as a plus sign (+). This encoding method differs from the standard `application/x-www-form-urlencoded` Multipurpose Internet Mail Extensions (MIME) format. For example, the implementation of `java.net.URLEncoder` in the Java standard library is different. To get the correct encoding, you can first encode using a standard library. Then, replace the plus sign (+) with `%20`, the asterisk () with `%2A`, and `%7E` back to a tilde (~). The following `percentEncode` method shows how to implement this algorithm: `private static final String ENCODING = "UTF-8"; private static String percentEncode(String value) throws UnsupportedEncodingException { return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("", "%2A").replace("%7E", "~") : null; }`

Connect the encoded parameter name and value with an equal sign (=).
Connect the name-value pairs from the preceding step with ampersands (&). The pairs must be in the same alphabetical order as in Step 1.a. The resulting string is the canonicalized query string.

Use the canonicalized query string from the preceding step to create the string to be signed in the following format.
```
StringToSign=
      HTTPMethod + “&” +
      percentEncode(“/”) + ”&” +
      percentEncode(CanonicalizedQueryString)
```
Where:
- HTTPMethod
  The HTTP method used to submit the request, such as GET.
- percentEncode("/")
  The forward slash (/) character encoded according to the URL encoding rules in Step 1.b. The encoded value is %2F.
- percentEncode(CanonicalizedQueryString)
  The canonicalized query string from Step 1, encoded using the URL encoding rules described in Step 1.b.

Step 2: Calculate the signature value

Calculate the HMAC value of the string to be signed (StringToSign) according to RFC 2104.
Note
The key used for the calculation is your AccessKey secret with an ampersand (&) character (ASCII code 38) appended. The hash algorithm is SHA1.
Encode the HMAC value from the preceding step into a string using Base64. The resulting string is the signature value (Signature).
Add the calculated signature value to the request parameters as the Signature parameter.
Note
When you add the signature value as the final request parameter, it must be URL-encoded in the same way as other parameters, according to the rules in RFC3986.

Example

This example shows how to sign a request to call the GetOpenStatus operation. Assume that the AccessKey Id is testid and the AccessKey Secret is yourAccessKeySecret. The request URL before signing is:

https://opt.cn-beijing.aliyuncs.com/?SignatureVersion=1.0&Action=GetOpenStatus&Format=JSON&SignatureNonce=ed8fb51f-0c38-4da4-a21a-f189b3a7aecb1629267396181268&Version=2021-07-30&AccessKeyId=testid&SignatureMethod=HMAC-SHA1&Timestamp=2021-08-18T06:16:36Z

The signature value calculated using yourAccessKeySecret& is:

PPwf***********************

Add the signature to the request URL as the Signature parameter. The final URL is:

https://opt.cn-beijing.aliyuncs.com/?SignatureVersion=1.0&Action=GetOpenStatus&Format=JSON&SignatureNonce=ed8fb51f-0c38-4da4-a21a-f189b3a7aecb1629267396181268&Version=2021-07-30&AccessKeyId=testid&Signature=PPwf***********************=&SignatureMethod=HMAC-SHA1&Timestamp=2021-08-18T06:16:36Z