Signature Method

Last updated: 2020-02-26 15:27:27

    Tencent Cloud API authenticates each Access request, that is, each request needs to include Signing information (Signature) in the common request parameters to verify the user's identity. Signing information is generated by user-owned security credential, including SecretId and SecretKey,. If you do not have security credential, you need to apply on Tencent Cloud official website, otherwise you will not be able to call Cloud API.

    Signature algorithm description

    CMQ supports clients to use SHA1 and SHA256 signature methods. Users can specify signature algorithm through the parameter SignatureMethod, and use SHA256 signature if the parameter value is HmacSHA256. If this parameter is not passed, or if the value is not equal to HmacSHA256, the signature is calculated using SHA1.

    1. Apply for security credential

    Before using Cloud API for the first time, users need to apply for Security credential on the Tencent Cloud console. The security credential includes SecretId and SecretKey, where SecretId is used to identify the API caller, and SecretKey is the key used to encrypt the signature string and verify the signature string on the server side. Users should take strict care of their SecretKey, to avoid disclosure.

    Apply for your security credentials:

    1.1 Login Tencent Cloud Console console .
    1.2 Click [Tencent Cloud services] and select [under the Management and Audit] column Access Key ] to enter the cloud API key management page.
    1.3 in Access key Management of Cloud API Page, click "Create" to create a pair of SecretId/SecretKey, and each account can have up to two pairs of SecretId/SecretKey.

    2. Generate signature string

    A signature can be created with a set of secret ID and secret key.. A detailed process for generating a signature string is given below.

    Assume that the SecretId and SecretKey are:

    • SecretId: AKIDPcY*****CVYLn3zT
    • SecretKey: pPgfLip*****aU7UbQyFFx

    This is just an example. Ask users to follow up according to their actual SecretId and SecretKey.

    Take the (SendMessage) request for an example of sending message API as an example. When a user calls this API, the request parameters may be as follows:

    Parameter name English Parameter value
    Action Method name SendMessage
    SecretID Key ID AKIDPcY*****CVYLn3zT
    Timestamp Current timestamp 1534154812
    SignatureMethod The method used for signature HmacSHA1
    Nonce Random positive integer 2889712707386595659
    QueueName Name of the queue that sent the message test1
    RequestClient Client version SDK_Python_1.3
    ClientRequestId Client custom unique ID one hundred and twenty three *** 1231
    DelaySeconds Delay time * 2018-5-4
    MsgBody The content of the message sent Msg

    As can be seen from the above table, there are only five common request parameters in the request parameters: Action, SecretId, Timestamp, Nonce and SignatureMethod, instead of the six described in "Common request parameters". In fact, the sixth parameter, Signature (signature string), is generated by other parameters (including instruction request parameters). The specific steps are as follows:

    2.1. Sort the parameters

    First of all, all the request parameters are arranged in Lexicographical order ascending order according to the parameter names, the so-called Lexicographical order ascending order, which is intuitively just like arranging words in a dictionary, according to the increasing order in the alphabet or numeric table. that is, consider the first "letter" first, consider the second "letter" in the same case, and so on. You can use sorting functions available in programming languages, such as the ksort function in PHP.. For example


    Any other programming language can be used to sort these parameters as long as the same result is produced.

    2.2. Concatenate request string

    This step generates a request string.
    Format the request parameters sorted in the previous step into the form of "parameter name" = "parameter value". For example, for the Action parameter, the parameter name is "Action" and the parameter value is "SendMessages", so it is formatted as Action=SendMessage.

    • Parameter value is the original value rather than the url encoded value.
    • If the input parameter contains an underscore, you need to convert it to "."

    Then the formatted parameters are concatenated with "&", and the resulting request string is:


    2.3. Concatenate plaintext signature

    This step generates a signature original string.
    which consists of the following parameters:

    • Request method: POST and GET are supported. GET request is used here. Note that the method is all uppercase.
    • Request domain name: it is assumed that the request Guangzhou region cmq private network domain name:
    • Request path: the request path of Cloud API is always /v2/index.php .
    • Request string: that is, the request string generated in the previous step.

    The stitching rules for the original signature string are as follows: Request method + Request CVM +Request path + ? + Request string

    The concatenation result of the sample is:*****CVYLn3zT&SignatureMethod=HmacSHA1&Timestamp=1534154812&clientRequestId=123***1231&delaySeconds=0&msgBody=msg&queueName=test1

    2.4. Generate signature string

    This step is to generate a signature string.
    First use the HMAC-SHA1 algorithm to match the Signature original string Sign the signature, and then encode the generated signature string using Base64 to get the final signature string.

    The specific code is as follows with the PHP language being an example:

    $secretKey = 'pPgfLipfEXZ7VcRzhAMIyPaU7UbQyFFx';
    $srcStr = '*****CVYLn3zT&SignatureMethod=HmacSHA1&Timestamp=1534154812&clientRequestId=123***1231&delaySeconds=0&msgBody=msg&queueName=test1';
    $signStr = base64_encode(hash_hmac('sha1', $srcStr, $secretKey, true));
    echo $signStr;

    The final signature string is:


    When developing with other programming languages, the original text in the above example can be used for signature verification, and the signature string obtained is consistent with that in the example.

    3. Signature string coding

    • The generated signature string cannot be directly used as a request parameter and needs to be URL encoded.
    • If the user's request method is GET, all request parameter values need to be URL encoded.

    For example, the signature string generated in the previous step is C16WEtEXsD5v5tnaUMLAbZewXhI= If it is encoded, it will be C16WEtEXsD5v5tnaUMLAbZewXhI%3d . Therefore, the final signature string request parameter (Signature) is: C16WEtEXsD5v5tnaUMLAbZewXhI%3d Which will be used to generate the final request URL
    The final request string is:


    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback