Adding a Signature to Your API Request

You can add the signature to your API request after you calculate it in Calculating a Signature.

You can include the signature either in the HTTP Authorization header or as a parameter in the query string, but not in both at the same time.

You do not need to do this procedure if you use AWS CLI or an SDK for your API request.

Adding the signature to the Authorization header

Before you begin: Complete the Calculating a Signature procedure.

To build the Authorization header, refer to the following pseudocode:

Example of Authorization header
Authorization: algorithm Credential=access key ID/credential scope, SignedHeaders=SignedHeaders, Signature=signature
  • Do not insert any comma between the algorithm and Credential. However, separate the following values with commas.

  • The value of Credential is the ID of the access key, followed by a slash (/), followed by the credential information calculated in Creating a String to Sign. The secret key is used to create the signing key that you need for the signature, but it is not part of the signature information included in the request.

The HTTP Authorization header is created and contains the signature.

Example of Authorization header
Authorization: AWS4-HMAC-SHA256 Credential=ACCESSKEYID/20180915/eu-west-2/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=8522c3bcf28f7c39dd7667ccf86a8d31718ca04d56d39d48649119d48021f567

Adding the signature to the query string

To build a query string with all the parameters of the request and the calculated signature, refer to the following pseudocode:

Example of query string
querystring = Action=action
querystring += &X-Amz-Algorithm=algorithm
querystring += &X-Amz-Credential= urlencode(access_key_ID + '/' + credential_scope)
querystring += &X-Amz-Date=date
querystring += &X-Amz-Expires=timeout interval
querystring += &X-Amz-SignedHeaders=signed_headers
querystring += &X-Amz-Signature=signature

All the values of the query string, except for the signature, are included in the canonical query string which is part of the canonical request you created in Creating a Canonical Request.

If you create a request in which all the parameters are included in the query string, the resulting URL represents an action that is already authenticated. Therefore, you must treat this URL with as much caution as you would for your actual credentials. We recommend specifying a short expiration time for the request with the X-Amz-Expires parameter.

The query string contains all the parameters of the request and the signature.

Example of query string with the signature

Related Pages

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.