Signature Method

Last updated: 2020-02-26 15:27:27

Tencent Cloud API authenticates each Access request, that is, each request needs to include Signing information (Signature) in the common request parameters to verify the user's identity. Signing information is generated by user-owned security credential, including SecretId and SecretKey,. If you do not have security credential, you need to apply on Tencent Cloud official website, otherwise you will not be able to call Cloud API.

Signature algorithm description

CMQ supports clients to use SHA1 and SHA256 signature methods. Users can specify signature algorithm through the parameter SignatureMethod, and use SHA256 signature if the parameter value is HmacSHA256. If this parameter is not passed, or if the value is not equal to HmacSHA256, the signature is calculated using SHA1.

1. Apply for security credential

Before using Cloud API for the first time, users need to apply for Security credential on the Tencent Cloud console. The security credential includes SecretId and SecretKey, where SecretId is used to identify the API caller, and SecretKey is the key used to encrypt the signature string and verify the signature string on the server side. Users should take strict care of their SecretKey, to avoid disclosure.

Apply for your security credentials:

1.1 Login Tencent Cloud Console console .
1.2 Click [Tencent Cloud services] and select [under the Management and Audit] column Access Key ] to enter the cloud API key management page.
1.3 in Access key Management of Cloud API Page, click "Create" to create a pair of SecretId/SecretKey, and each account can have up to two pairs of SecretId/SecretKey.

2. Generate signature string

A signature can be created with a set of secret ID and secret key.. A detailed process for generating a signature string is given below.

Assume that the SecretId and SecretKey are:

  • SecretId: AKIDPcY*****CVYLn3zT
  • SecretKey: pPgfLip*****aU7UbQyFFx

This is just an example. Ask users to follow up according to their actual SecretId and SecretKey.

Take the (SendMessage) request for an example of sending message API as an example. When a user calls this API, the request parameters may be as follows:

Parameter name English Parameter value
Action Method name SendMessage
SecretID Key ID AKIDPcY*****CVYLn3zT
Timestamp Current timestamp 1534154812
SignatureMethod The method used for signature HmacSHA1
Nonce Random positive integer 2889712707386595659
QueueName Name of the queue that sent the message test1
RequestClient Client version SDK_Python_1.3
ClientRequestId Client custom unique ID one hundred and twenty three *** 1231
DelaySeconds Delay time * 2018-5-4
MsgBody The content of the message sent Msg

As can be seen from the above table, there are only five common request parameters in the request parameters: Action, SecretId, Timestamp, Nonce and SignatureMethod, instead of the six described in "Common request parameters". In fact, the sixth parameter, Signature (signature string), is generated by other parameters (including instruction request parameters). The specific steps are as follows:

2.1. Sort the parameters

First of all, all the request parameters are arranged in Lexicographical order ascending order according to the parameter names, the so-called Lexicographical order ascending order, which is intuitively just like arranging words in a dictionary, according to the increasing order in the alphabet or numeric table. that is, consider the first "letter" first, consider the second "letter" in the same case, and so on. You can use sorting functions available in programming languages, such as the ksort function in PHP.. For example


Any other programming language can be used to sort these parameters as long as the same result is produced.

2.2. Concatenate request string

This step generates a request string.
Format the request parameters sorted in the previous step into the form of "parameter name" = "parameter value". For example, for the Action parameter, the parameter name is "Action" and the parameter value is "SendMessages", so it is formatted as Action=SendMessage.

  • Parameter value is the original value rather than the url encoded value.
  • If the input parameter contains an underscore, you need to convert it to "."

Then the formatted parameters are concatenated with "&", and the resulting request string is:


2.3. Concatenate plaintext signature

This step generates a signature original string.
which consists of the following parameters:

  • Request method: POST and GET are supported. GET request is used here. Note that the method is all uppercase.
  • Request domain name: it is assumed that the request Guangzhou region cmq private network domain name:
  • Request path: the request path of Cloud API is always /v2/index.php .
  • Request string: that is, the request string generated in the previous step.

The stitching rules for the original signature string are as follows: Request method + Request CVM +Request path + ? + Request string

The concatenation result of the sample is:*****CVYLn3zT&SignatureMethod=HmacSHA1&Timestamp=1534154812&clientRequestId=123***1231&delaySeconds=0&msgBody=msg&queueName=test1

2.4. Generate signature string

This step is to generate a signature string.
First use the HMAC-SHA1 algorithm to match the Signature original string Sign the signature, and then encode the generated signature string using Base64 to get the final signature string.

The specific code is as follows with the PHP language being an example:

$secretKey = 'pPgfLipfEXZ7VcRzhAMIyPaU7UbQyFFx';
$srcStr = '*****CVYLn3zT&SignatureMethod=HmacSHA1&Timestamp=1534154812&clientRequestId=123***1231&delaySeconds=0&msgBody=msg&queueName=test1';
$signStr = base64_encode(hash_hmac('sha1', $srcStr, $secretKey, true));
echo $signStr;

The final signature string is:


When developing with other programming languages, the original text in the above example can be used for signature verification, and the signature string obtained is consistent with that in the example.

3. Signature string coding

  • The generated signature string cannot be directly used as a request parameter and needs to be URL encoded.
  • If the user's request method is GET, all request parameter values need to be URL encoded.

For example, the signature string generated in the previous step is C16WEtEXsD5v5tnaUMLAbZewXhI= If it is encoded, it will be C16WEtEXsD5v5tnaUMLAbZewXhI%3d . Therefore, the final signature string request parameter (Signature) is: C16WEtEXsD5v5tnaUMLAbZewXhI%3d Which will be used to generate the final request URL
The final request string is: