Object Storage Service:Use Node.js to upload an object with a signed header to OSS

Prerequisites

Before you begin, ensure that you have:

• Node.js v12.10.0 or later installed

• An OSS bucket

• An AccessKey ID and AccessKey secret with write access to the bucket

• The following npm packages installed:

    npm install crypto-js request

How signing works

OSS authenticates each request using a signature in the Authorization header. The signature is computed from a string to sign that encodes the request method, content type, date, and resource path.

String-to-sign formula:

StringToSign = HTTP-Verb + "\n"
             + Content-MD5 + "\n"
             + Content-Type + "\n"
             + Date + "\n"
             + CanonicalizedResource

Authorization header format:

Authorization: OSS <AccessKeyId>:<Signature>
Signature = Base64(HMAC-SHA1(AccessKeySecret, StringToSign))

Field reference:

Example: how a PutObject request maps to the string to sign

Request                                    StringToSign
PUT /mytest/nodejs.txt HTTP/1.1            PUT\n
Content-Type: application/json            \n
Date: Mon, 02 Mar 2026 08:00:00 GMT       application/json\n
Host: mybucket.oss-cn-hangzhou...         Mon, 02 Mar 2026 08:00:00 GMT\n
                                          /mybucket/mytest/nodejs.txt

Note that Content-MD5 is absent from the request, so it becomes an empty string in the string to sign.

Sign and upload an object

The following Node.js code signs a PutObject request using HMAC-SHA1 and uploads an object to OSS.

var HmacSha1 = require('crypto-js/hmac-sha1');
var Base64 = require('crypto-js/enc-base64');
var request = require('request');

// Configuration — replace placeholders with your actual values
var endpoint    = 'http://oss-cn-hangzhou.aliyuncs.com';  // <region-endpoint>
var bucketName  = 'xxx';                                   // <your-bucket-name>
var objectName  = 'mytest/nodejs.txt';                     // <your-object-name>
var accesskey   = 'xxxx';                                  // <your-accesskey-id>
var accesskeysecret = 'xxx';                               // <your-accesskey-secret>

// Build the string to sign
var gmtDate     = (new Date()).toGMTString();
var contenttype = 'application/json';
var strtosign   = 'PUT\n\n' + contenttype + '\n' + gmtDate + '\n' + '/' + bucketName + '/' + objectName;

// Compute the signature
var sign = Base64.stringify(HmacSha1(strtosign, accesskeysecret));

// Send the PUT request
var options = {
    url: 'http://' + bucketName + '.oss-cn-hangzhou.aliyuncs.com/' + objectName,
    headers: {
        'Content-Type':  contenttype,
        'Date':          gmtDate,
        'Authorization': 'OSS ' + accesskey + ':' + sign
    },
    body: '{test:test}'
};

request.put(options, function(error, response, body) {
    console.info('response: ' + JSON.stringify(response));
    console.info('statusCode: ' + response.statusCode);
    console.info('body: ' + body);
});

Replace the following placeholders with your actual values:

Troubleshooting

`SignatureDoesNotMatch`

This error means the signature OSS computed from your request does not match the one you sent. Check the following:

• The Date header is in valid GMT format and matches the value used in the string to sign.

• The Content-Type in the string to sign exactly matches the Content-Type header, including case.

• CanonicalizedResource starts with / followed by the bucket name and object key: /bucketName/objectName.

• If Content-MD5 or Content-Type is absent from the request, use an empty string ("") in that position of the string to sign.

• The AccessKey secret used to compute the signature is correct and has not been rotated.

`403 Access Denied`

Verify that the AccessKey ID and AccessKey secret are valid and that the associated account has oss:PutObject permission on the target bucket.

What's next

• Include signatures in the Authorization header — full specification for OSS request signing