You can use the signature tool in the Object Storage Service (OSS) console to generate signatures for different request methods. After you specify the required parameters, the system automatically generates and verifies a request signature.

Usage notes

  • If the signature obtained from the signature tool is inconsistent with those obtained from OSS SDKs or other tools, you need to verify the parameters yourself.
  • The signature tool does not provide identification and notification for incorrect parameters. In this case, the request signature that is generated may not pass the signature verification.
  • If you do not specify the required parameters of the signature tool, the request signature cannot be generated.


To generate a signature by using the signature tool in the OSS console, perform the following steps:

  1. Log on to the OSS console.
  2. In the left-side navigation pane, choose Self-service Tools > Signature Tool.
  3. On the Signature Tool page, click the Signature in Authorization Header tab.
  4. On the Signature in Authorization Header tab, configure the parameters. The following table describes the parameters.
    AccessKeyIdYesLTAI5t7h6SgiLSganP2m****The AccessKey pair of the account that you want to use to access OSS resources. An AccessKey pair consists of an AccessKey ID and AccessKey secret.
    Security-TokenNoCAISowJ1q6Ft5B2yfSjIr5feHsPhtYh3+pONd2uCglI3dvxVt7DB1Tz2IHxMdHJsCeAcs/Q0lGFR5/sflqJIRoReREvCUcZr8sy2SqEGos2T1fau5Jko1be0ewHKeQKZsebWZ+LmNpy/Ht6md1HDkAJq3LL+bk/Mdle5MJqP+/kFC9MMRVuAcCZhDtVbLRcYgq18D3bKMuu3ORPHm3fZCFES2jBxkmRi86+ysIP+phPVlw/90fRH5dazcJW0Zsx0OJo6Wcq+3+FqM6DQlTNM6hwNtoUO1fYUommb54nDXwQIvUjfbtC5qIM/cFVLAYEhALNBofTGkvl1h/fejYyfyWwWYbkFCHiPFNr9kJCUSbr4a4sjF6zyPnPWycyCLYXleLzhxPWd/2kagAF6qLNY5paXF18NyRP0PISqxlWBuSQldMS3avlblTFB7apY8CUiAQcSY3uDYUhuxU+KFBxpGaq8c1SU5ARo+1JBA5nXhFlY2nbDnWONxa0mvNvE3XJ0FZJnDS7WBHyOMjC8nmw2GfaQ4bxQ0D2+20yrDNevWSSqnwh0qXMI3zY5****This parameter is required only if you use temporary access credentials to access OSS resources. Otherwise, you can leave this parameter empty. For more information about how to obtain a security token, see AssumeRole.
    VERBYesGETThe method that is used for the HTTP request, including GET, POST, PUT, DELETE, and HEAD.

    For more information, see List of operations by function.

    Content-MD5NoeB5eJF1ptWaXm4bijSPyxw==The MD5 hash of the requested content. The message content that excludes the header is calculated to obtain a 128-bit MD5 hash. This hash is encoded in Base64. For more information, see RFC 2616 Content-MD5.

    The request header can be used to check the validity of a message. The message content is valid only if the received message content is the same as the content that is sent. This parameter can be left empty.

    For more information about how to calculate the value of Content-MD5, see Calculation of Content-MD5.

    Content-TypeNoapplication/octet-streamThe type of the request content. This parameter can be left empty. For more information about Content-Type, see How do I specify the Content-Type header?
    DateYesJan 9, 2023 14:20:38 GMTThe time when the signature is generated. The value of this parameter must be in UTC.
    Important If the difference between the time specified by the Date header in a request and the time on the server when the request is received is greater than 15 minutes, OSS rejects the request and returns the HTTP status code 403.
    Canonicalized HeadersNox-oss-meta-name: taobaoThe HTTP headers that are prefixed with x-oss-. The HTTP headers are sorted in alphabetical order. To add multiple Canonicalized headers, click Add.

    For more information about how to construct Canonicalized headers, see Creation of CanonicalizedOSSHeaders.

    Canonicalized ResourceNoexamplebucketThe OSS resource that you want to access.
    • If no bucket or object is used to generate the signature, you do not need to specify the Canonicalized Resource parameter. For example, when you call the ListBuckets (GetService) operation to generate the signature, you do not need to specify the Canonicalized Resource parameter.
    • If buckets, objects, or other subresources are used to generate the signature, specify the Canonicalized Resource parameter based on your business requirements. For more information about how to specify the Canonicalized Resource parameter, see Creation of CanonicalizedResource.
  5. After you specify the preceding parameters, click Generate Signature.
    The used signature functions and the generated Authorization request header are displayed in the Result Feedback section on the right of the Signature Tool page.