ApiAppKey
and ApiAppSecret
), when a client calls the API, it needs to use the signature key to perform signature calculation on the request content and transfer the signature to the server for signature verification. This document describes how to implement the signature calculation process on the client.ApiAppKey
.ApiAppKey
and ApiAppSecret
). After the API owner authorizes the API to the specified application (which can be issued by the API owner or owned by an API caller), the API caller can use the application's signature key to call the API.ApiAppKey
and the encrypted signature string in the header of the request, and transfer it to API Gateway. API Gateway will read the header information of the ApiAppKey
in the request, query the value of the ApiAppSecret
corresponding to the value of the ApiAppKey
, use the ApiAppSecret
to perform signature calculation on the critical data in the received request, and compare the generated signature with the signature sent by the client to verify the correctness of the signature. Only if the request passes the signature verification will it be sent to the backend service; otherwise, API Gateway will deem the request invalid and directly return an error.ApiAppSecret
to encrypt the critical data signature string to get a signature.ApiAppKey
from the received request and query the corresponding ApiAppSecret
through the ApiAppKey
.ApiAppSecret
to encrypt the critical data signature string to get a signature.HeadersHTTPMethodAcceptContent-TypeContent-MD5PathAndParameters
\\n
. Headers
must contain X-Date
. There is no need to add \\n
after PathAndParameters
. Even if other fields are empty, \\n
should still be retained. The signature is case sensitive. The extraction rules for each field are as follows:HeaderKey1 + ": " + HeaderValue1 + "\\n"\\+HeaderKey2 + ": " + HeaderValue2 + "\\n"\\+...HeaderKeyN + ": " + HeaderValueN + "\\n"
Authorization
are the ones involved in signature calculation. We recommend you convert them to the lowercase and separate them by ASCII spaces. For example, if the headers involved in the calculation are date
and source
, the format should be headers="date source"
; if only the x-date
header participates in the calculation, the format should be headers="x-date"
.Accept
header in the request, which can be empty. We recommend you explicitly set the Accept
header. If it is empty, some HTTP clients will set the default value of / for it, causing signature verification to fail.Content-Type
header in the request, which can be empty.Content-MD5
header in the request, which can be empty. The Content-MD5
header is calculated only when the request has a Body
in a non-Form
format. The calculation method of the Content-MD5
value in Java is as follows:String content-MD5 = Base64.encodeBase64(MD5(bodyStream.getbytes("UTF-8")));
Path
, Query
, and Form
in the following format:path
does not contain release environment (release, prepub, test) information.Query
and Form
parameter pair are sorted in lexicographical order and then spliced in the above-mentioned method.Query
and Form
parameters are empty, use Path
directly without adding ?
.Query
and Form
(i.e., parameters with the same key but different values), the values need to be sorted in lexicographical order and then spliced in the above-mentioned method.POST / HTTP/1.1host:service-3rmwxxxx-1255968888.cq.apigw.tencentcs.comaccept:application/jsoncontent-type:application/x-www-form-urlencodedsource:apigw testx-date:Thu, 11 Mar 2021 08:29:58 GMTcontent-length:8p=test
source: apigw testx-date: Thu, 11 Mar 2021 08:29:58 GMTPOSTapplication/jsonapplication/x-www-form-urlencoded/?p=test
signing_str
signing information) to get a byte array.Authorization
in the HTTP request and transfer it to API Gateway for signature verification.Authorization
header is as follows:Authorization: hmac id="secret_id", algorithm="hmac-sha1", headers="date source", signature="Base64(HMAC-SHA1(signing_str, secret_key))"
Authorization
are described as follows:Parameter | Description |
hmac | Fixed and used to indicate the calculation method |
ID | Value of the secret_id in the key |
algorithm | Encryption algorithm. HMAC-SHA1 and HMAC-SHA256 are supported currently |
headers | Headers involved in the signature calculation |
signature | Signature obtained after signature calculation is completed, with signing_str as its content |
POST / HTTP/1.1host:service-3rmwxxxx-1255968888.cq.apigw.tencentcs.comaccept:application/jsoncontent-type:application/x-www-form-urlencodedsource:apigw testx-date:Thu, 11 Mar 2021 08:29:58 GMTAuthorization:hmac id="xxxxxxx", algorithm="hmac-sha1", headers="source x-date", signature="xyxyxyxyxyxy"content-length:8p=test
ApiAppSecret
used for signature calculation is correct.StringToSign
are replaced with #
."message":"HMAC signature does not match, Server StringToSign:source: apigw test#x-date: Thu, 11 Mar 2021 08:49:30 GMT#POST#application\\/json#application\\/x-www-form-urlencoded##\\/?p=test"
source: apigw testx-date: Thu, 11 Mar 2021 08:29:58 GMTPOSTapplication/jsonapplication/x-www-form-urlencoded/?p=test
Was this page helpful?