文档首页/ API签名指南/ 开发指南/ API签名认证原理/ API签名认证机制示例
更新时间:2026-03-05 GMT+08:00
查看PDF
分享

API签名认证机制示例

以虚拟私有云服务的一个查询VPC列表接口为例,假设原始请求如下:

GET https://service.region.example.com/v1/77b6a44cba5143ab91d13ab9a8ff44fd/vpcs?limit=2&marker=13551d6b-755d-4757-b956-536f674975c0 HTTP/1.1
Host: service.region.example.com
X-Sdk-Date: 20191115T033655Z
  1. 构造规范请求。 

    GET
/v1/77b6a44cba5143ab91d13ab9a8ff44fd/vpcs/
limit=2&marker=13551d6b-755d-4757-b956-536f674975c0
content-type:application/json
host:service.region.example.com
x-sdk-date:20191115T033655Z

content-type;host;x-sdk-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    • HTTPRequestMethod 
      GET
    • CanonicalURI
      查询VPC列表的URI为/v1/{project_id}/vpcs,project_id为77b6a44cba5143ab91d13ab9a8ff44fd,规范URI为: 
      /v1/77b6a44cba5143ab91d13ab9a8ff44fd/vpcs/
    • CanonicalQueryString
      查询VPC列表有两个可选参数limit(每页返回的个数)和marker(分页查询的起始VPC资源ID),规范查询字符串 
      limit=2&marker=13551d6b-755d-4757-b956-536f674975c0
    • CanonicalHeaders
      查询VPC列表的消息头,包含签名时间(X-Sdk-Date),云服务Endpoint(Host)、内容类型(Content-Type)。规范消息头为: 
      content-type:application/json
host:service.region.example.com
x-sdk-date:20191115T033655Z
                               //此处为空行
    • SignedHeaders
      添加三个消息头Content-Type、Host、X-Sdk-Date: 
      content-type;host;x-sdk-date
    • RequestPayload
      本示例为GET方法,body体为空。经过哈希处理的body(空字符串)如下: 
      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

  2. 创建待签字符串。 

    SDK-HMAC-SHA256
20191115T033655Z
b25362e603ee30f4f25e7858e8a7160fd36e803bb2dfe206278659d71a9bcd7a
    • Algorithm 
      SDK-HMAC-SHA256
    • RequestDateTime 
      20191115T033655Z
    • HashedCanonicalRequest

      1中已构造的规范请求通过SHA-256算法生成hash值。

      b25362e603ee30f4f25e7858e8a7160fd36e803bb2dfe206278659d71a9bcd7a

  3. 计算签名。 

    Signature=f12f84a5ecf9eff3206499c4a55b13d1adad745dc8624a2e31f15c6b381d5b80

    假设SK(Secret Access Key)为MFyf***VmHc,上方的signature值是由SK和2中代签字符串进行哈希运算所得。

    signature = HexEncode(HMAC(MFyf***VmHc, b25362e603ee30f4f25e7858e8a7160fd36e803bb2dfe206278659d71a9bcd7a))

  4. 添加签名信息到请求头。

    Authorization消息头添加签名信息,SignedHeaders为1中的三个消息头Content-Type、Host、X-Sdk-Date,假设AK(Access Key)为QTWA***KYUC。

    Authorization: SDK-HMAC-SHA256 Access=QTWA***KYUC, SignedHeaders=content-type;host;x-sdk-date, Signature=f12f84a5ecf9eff3206499c4a55b13d1adad745dc8624a2e31f15c6b381d5b80

  5. 完整的签名请求。 

    GET /v1/77b6a44cba5143ab91d13ab9a8ff44fd/vpcs?limit=2&; marker=13551d6b-755d-4757-b956-536f674975c0 HTTP/1.1
Host: service.region.example.com
Content-Type: application/json
x-sdk-date: 20191115T033655Z
Authorization: SDK-HMAC-SHA256 Access=QTWA***KYUC, SignedHeaders=content-type;host;x-sdk-date, Signature=f12f84a5ecf9eff3206499c4a55b13d1adad745dc8624a2e31f15c6b381d5b80

Curl方式样例如下:

curl -X GET "https://service.region.example.com/v1/77b6a44cba5143ab91d13ab9a8ff44fd/vpcs?limit=2&marker=13551d6b-755d-4757-b956-536f674975c0" -H "content-type: application/json" -H "X-Sdk-Date: 20191115T033655Z" -H "host: service.region.example.com" -H "Authorization: SDK-HMAC-SHA256 Access=QTWA***KYUC, SignedHeaders=content-type;host;x-sdk-date, Signature=f12f84a5ecf9eff3206499c4a55b13d1adad745dc8624a2e31f15c6b381d5b80" -d $''
父主题: API签名认证原理