Overview

Function

Each time a client calls an OBS API, the HTTP request must be signed, so the server can verify the request signature and ensure secure access. By verifying a signature, OBS:

Prevents unauthorized access. As signatures carry user information, OBS can verify the user information carried in a signature to check if any unauthorized users are attempting to access resources.
Prevents in-transit data tampering. OBS compares the signature it received with the one it calculated to check if data was ever tampered with in transit.
Prevents the signature abuse. Signatures have validity periods, which help reduce the risk of an unauthorized party reusing it for malicious purposes.

Signing and Verification

Figure 1 shows how a signature is calculated and verified.

Figure 1 Signing and verification
Click to enlarge

**Table 1** Signing and verification
Executor	No.	Step	Description
Client	1	HTTP request constructed.	An API request contains a URI, method, and headers, as well as an optional body. For details, see Constructing a Request.
	2	Signature S calculated.	The signature is calculated based on the constructed request and an access key. You can calculate a signature (S) by: Using an Authorization Header Using a Pre-Signed URL Signing Browser-Based Upload Requests
	3	S added to the request.	You can add a signature to: The Authorization header The Query parameters A form in browser-based uploads
	4	S-carried request sent.	Your client sends the request that carries the signature to a server.
OBS server	5	Request received.	The server receives the request from the client.
	6	Signature authenticated.	The server calculates a signature (S') based on the received request and the access key you provided and compares S' with the received signature S. If they match, the authentication is successful. Otherwise, the request is rejected.
	7	API response returned.	If the authentication is successful, the server processes the request and then returns the processing result. If the authentication fails, the server returns the status code 403 Forbidden and error code SignatureDoesNotMatch. To fix this issue, see Why Don't the Signatures Match?
Client	8	Response received from server.	Your client receives a response from the server.

Comparison Between Signature Carrying Methods

OBS can carry a signature in a header, URL, or browser-based upload. The third method is limited to making POST requests through a browser. The first two methods are compared in the following table:

**Table 2** Comparison between carrying a signature in a header and in a URL.
Item	Carrying Signature in Header	Carrying Signature in URL
Application	Using a header is the recommended method of carrying a signature in most cases.	Using a pre-signed URL is useful if you want to grant only temporary access. With this method, you do not need to provide your access key to third parties. You instead provide them a pre-signed URL. Be aware of the potential risk as this method will expose your data to Internet within the validity period. A pre-signed URL is recommended for accessing OBS through a browser.
Expires support	No	Yes
Date support	Yes	No
Common APIs	All OBS APIs	GET and PUT
Time formatting	The Date header indicates when the request was generated, recorded using Greenwich Mean Time (GMT) in the RFC 1123 format. If the value of Date is over 15 minutes away from the current server time, the server returns 403, indicating that the request is invalid.	The Expires header indicates how long the pre-signed URL is valid, measured in seconds. When the specified period elapses, the pre-signed URL expires.
URL encoding required	No	Yes