All Products
Search
Document Center

Alibaba Cloud SDK:Request syntax and signature method

Last Updated:Jun 08, 2026

If the existing SDKs cannot meet your business requirements, you can construct custom HTTP requests.

Note

If an Alibaba Cloud SDK already supports your target service and language, use the SDK instead. SDKs handle request construction and signing automatically. This page is for cases where no suitable SDK is available.

Steps

Step 1: Check the API style of the cloud service

The request construction method depends on the API style of the target service. Check the API reference for your service to confirm whether it uses the remote procedure call (RPC) or resource-oriented architecture (ROA) style. For more information, see API styles.

Step 2: Construct and sign the request

Request syntax varies by API style. For detailed instructions, see Request syntax and signature method V3.

Step 3: Process responses

If you know the expected response structure, deserialize responses into predefined objects. Otherwise, process them as generic data.

Step 4: Add exception handling and retry logic

Network disruptions and invalid request parameters can cause exceptions. Build exception handling and retry logic into your client to handle these cases.

Why requests must be signed

Signing protects cloud services from malicious and invalid requests. A signature is computed from request data — including credentials, a timestamp, and a random number — and attached to each request before it is sent.

Signing achieves four security goals:

  1. Request authentication: The API gateway verifies that the request originates from a legitimate client, blocking unauthorized requests before they reach the service.

  2. Replay attack prevention: Each signature includes a timestamp and random number, ensuring that a captured request cannot be reused.

  3. Tamper detection: The signature encodes the request content, so any modification during transmission invalidates the signature and the request is rejected.

  4. Auditability: The signature carries source information and a timestamp, giving service providers a verifiable trail for tracking and auditing system access.