This topic describes how requests are signed. You must sign all HTTP or HTTPS API
requests to ensure security. Alibaba Cloud uses the request signature to verify the
identity of the request sender. Alibaba Cloud implements symmetric encryption with
an AccessKey pair to verify the identity of the request sender. An AccessKey pair
consists of an AccessKey ID and an AccessKey secret.
AccessKey pairs
You can obtain the AccessKey ID and AccessKey secret on the AccessKey Management page
in the Alibaba Cloud Management Console. The AccessKey ID is used to verify the identity
of the user, while the AccessKey secret is used to encrypt and verify the signature
string. You must keep your AccessKey secret strictly confidential.
For more information, see Obtain an AccessKey pair.
Note Short Message Service provides SDKs for multiple programming languages, such as Java,
Python, and PHP. If you use the SDKs to call API operations, you can skip the signing
process. For more information, see
SDK overview and the related SDK documentation.
Procedure
- Create a canonicalized query string.
- Arrange the request parameters (including common parameters and operation-specific parameters except Signature) in alphabetical order.
Note If you use the GET method to send a request, the request parameters are included as
a part of the request URL. The first parameter follows the question mark (?
) in the URL and the other parameters follow an ampersand (&
).
- Encode the canonicalized query string in UTF-8 based on RFC 3986.
- Use an equal sign (=) to concatenate each encoded request parameter and its value.
- Use an ampersand (&) to concatenate the encoded request parameters. These parameters
must be arranged in the same order as those in Step 1.
- Create a string-to-sign.
- Create a string-to-sign (Signature) from the encoded canonicalized query string.
You can also use
percentEncode to encode the canonicalized query string created in the previous step. Perform the
following steps to create a string-to-sign:
StringToSign=
HTTPMethod + "&" + //HTTPMethod: the HTTP method that is used to send a request, such as GET.
percentEncode("/") + "&" + //percentEncode("/"): Encode the forward slash (/) in UTF-8 as %2F.
percentEncode(CanonicalizedQueryString) // Encode the canonicalized query string created in Step 1.
- Calculate the HMAC value of the string-to-sign by using the AccessKey secret as the
key.
Calculate the hash-based message authentication code (HMAC) value of the string-to-sign based on RFC 2104.
Note Use the Secure Hash Algorithm 1 (SHA1) algorithm to calculate the HMAC value of the
string-to-sign. The AccessKey secret appended with an ampersand (&
) (ASCII: 38) is used as the key for the HMAC calculation.
- Obtain the signature string.
Encode the HMAC value in Base64 to obtain the signature string (Signature).
- Add the signature string to the request.
Add the signature string to the request as the
Signature parameter. The result is the signed API request.
Note The signature string is submitted to the server based on
RFC 3986.
Sample request
Take the SendMessageToGlobe operation as an example. The following request URL is
used before signing:
http://dysmsapi.ap-southeast-1.aliyuncs.com/?AccessKeyId=testid&Action=SendMessageToGlobe&Format=XML&From=Alicloud&Message=Hello&RegionId=ap-southeast-1&SignatureMethod=HMAC-SHA1&SignatureNonce=57acef20-c1d8-11eb-8c08-db81fda24dcc&SignatureVersion=1.0&Timestamp=2021-05-31T06%3A20%3A49Z&To=861245567%2A%2A%2A%2A&Version=2018-05-01
The following string is the string-to-sign:
GET&%2F&AccessKeyId%3Dtestid%26Action%3DSendMessageToGlobe%26Format%3DXML%26From%3DAlicloud%26Message%3DHello%26RegionId%3Dap-southeast-1%26SignatureMethod%3DHMAC-SHA1%26SignatureNonce%3D57acef20-c1d8-11eb-8c08-db81fda24dcc%26SignatureVersion%3D1.0%26Timestamp%3D2021-05-31T06%253A20%253A49Z%26To%3D861245567%252A%252A%252A%252A%26Version%3D2018-05-01
Assume that the AccessKey ID is testid and the AccessKey secret is testsecret. Then,
the key used to calculate the HMAC value of the signature is testsecret&. The calculated
signature string is uRpHwaSEt3J+6KQD//svCh/x+pI=
.
The following URL is the signed request URL after the signature string is added to
the request as the Signature parameter:
http://dysmsapi.ap-southeast-1.aliyuncs.com/?Signature=Lh%2FxyzDi5tn8DXfqatBONMXLErg%3D&AccessKeyId=testid&Action=SendMessageToGlobe&Format=XML&From=Alicloud&Message=Hello&RegionId=ap-southeast-1&SignatureMethod=HMAC-SHA1&SignatureNonce=57acef20-c1d8-11eb-8c08-db81fda24dcc&SignatureVersion=1.0&Timestamp=2021-05-31T06%3A20%3A49Z&To=861245567%2A%2A%2A%2A&Version=2018-05-01