After the OSS server is signed,

When you use server-side signing with client-side direct transfer and call PostObject from the browser, OSS may return the following error:

<Error>
  <Code>InvalidAccessKeyId</Code>
  <Message>The OSS Access Key Id you provided does not exist in our records.</Message>
  <RequestId>60AE1FFE8CFD483135961F65</RequestId>
  <HostId>BucketName.oss-cn-beijing.aliyuncs.com</HostId>
  <OSSAccessKeyId>STS.XXXXX4kYP8Vh2iXXXXXX</OSSAccessKeyId>
</Error>

This error indicates that the x-oss-security-token field is missing from your PostObject form. Security Token Service (STS) temporary credentials consist of three required components: AccessKeyId, AccessKeySecret, and SecurityToken. Without x-oss-security-token, OSS cannot validate the STS credential and rejects the request.

Diagnose the issue

Open browser DevTools and go to the Network tab.
Reproduce the upload.
Select the failed request and inspect the Form Data payload.
Check whether x-oss-security-token is present.

If the form contains OSSAccessKeyId but no x-oss-security-token, the SecurityToken was not included — this confirms the root cause.

Solution

Add x-oss-security-token to your PostObject form and set its value to the SecurityToken from your STS response.

Form field	Value
`x-oss-security-token`	The SecurityToken returned by STS

For the complete list of PostObject form fields, see the PostObject API reference.

What's next

Use temporary credentials provided by STS to access OSS