Example of the API Signature Authentication Mechanism

The following procedure uses the Virtual Private Cloud (VPC) query API as an example. Assume that the original request is as follows:

GET https://service.region.example.com/v1/77b6a44cba5143ab91d13ab9a8ff44fd/vpcs?limit=2&marker=13551d6b-755d-4757-b956-536f674975c0 HTTP/1.1
Host: service.region.example.com
X-Sdk-Date: 20191115T033655Z

1. Construct a standard request.

   GET
   /v1/77b6a44cba5143ab91d13ab9a8ff44fd/vpcs/
   limit=2&marker=13551d6b-755d-4757-b956-536f674975c0
   content-type:application/json
   host:service.region.example.com
   x-sdk-date:20191115T033655Z
   
   content-type;host;x-sdk-date
   e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

   • HTTPRequestMethod

     GET

   • CanonicalURI
     The URI of the VPC query API is /v1/{project_id}/vpcs, where project_id is 77b6a44cba5143ab91d13ab9a8ff44fd. The standard URI is as follows:

     /v1/77b6a44cba5143ab91d13ab9a8ff44fd/vpcs/

   • CanonicalQueryString
     The VPC query API has two optional parameters: limit (number of records returned on each page) and marker (start VPC ID for pagination query). The standard query string is as follows:

     limit=2&marker=13551d6b-755d-4757-b956-536f674975c0

   • CanonicalHeaders
     Requests for calling the VPC query API contain the X-Sdk-Date, Host (cloud service endpoint), and Content-Type headers. A standard header is as follows:

     content-type:application/json
     host:service.region.example.com
     x-sdk-date:20191115T033655Z
                                    //This is a blank line.

   • SignedHeaders
     Add the following three headers: Content-Type, Host, and X-Sdk-Date.

     content-type;host;x-sdk-date

   • RequestPayload
     This example uses GET as an example, and the request body is empty. After hash processing, the request body (empty string) is as follows:

     e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

2. Create a to-be-signed string.

   SDK-HMAC-SHA256
   20191115T033655Z
   b25362e603ee30f4f25e7858e8a7160fd36e803bb2dfe206278659d71a9bcd7a

   • Algorithm

     SDK-HMAC-SHA256

   • RequestDateTime

     20191115T033655Z

   • HashedCanonicalRequest

     Generate a hash value using the SHA-256 algorithm based on the standard request constructed in 1.

     b25362e603ee30f4f25e7858e8a7160fd36e803bb2dfe206278659d71a9bcd7a

3. Calculate a signature.

   Signature=f12f84a5ecf9eff3206499c4a55b13d1adad745dc8624a2e31f15c6b381d5b80

   Assume that the SK is MFyf***VmHc. The signature value is obtained by performing the hash operation on the SK and the signature character string in 2.

   signature = HexEncode(HMAC(MFyf***VmHc, b25362e603ee30f4f25e7858e8a7160fd36e803bb2dfe206278659d71a9bcd7a))

4. Add the signature to the request header.

   Add the signature information to the Authorization message header. The SignedHeaders field includes the three headers from 1: Content-Type, Host, and X-Sdk-Date. Assume that the access key (AK) is QTWA***KYUC.

   Authorization: SDK-HMAC-SHA256 Access=QTWA***KYUC, SignedHeaders=content-type;host;x-sdk-date, Signature=f12f84a5ecf9eff3206499c4a55b13d1adad745dc8624a2e31f15c6b381d5b80

5. Complete signature request.

   GET /v1/77b6a44cba5143ab91d13ab9a8ff44fd/vpcs?limit=2&; marker=13551d6b-755d-4757-b956-536f674975c0 HTTP/1.1
   Host: service.region.example.com
   Content-Type: application/json
   x-sdk-date: 20191115T033655Z
   Authorization: SDK-HMAC-SHA256 Access=QTWA***KYUC, SignedHeaders=content-type;host;x-sdk-date, Signature=f12f84a5ecf9eff3206499c4a55b13d1adad745dc8624a2e31f15c6b381d5b80

Example request for calling an API with a curl command:

curl -X GET "https://service.region.example.com/v1/77b6a44cba5143ab91d13ab9a8ff44fd/vpcs?limit=2&marker=13551d6b-755d-4757-b956-536f674975c0" -H "content-type: application/json" -H "X-Sdk-Date: 20191115T033655Z" -H "host: service.region.example.com" -H "Authorization: SDK-HMAC-SHA256 Access=QTWA***KYUC, SignedHeaders=content-type;host;x-sdk-date, Signature=f12f84a5ecf9eff3206499c4a55b13d1adad745dc8624a2e31f15c6b381d5b80" -d $''