Signing AWS API requests - AWS General Reference
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

Signing AWS API requests

When you send HTTP requests to AWS, you sign the requests so that AWS can identify who sent them. You sign requests with your AWS access key, which consists of an access key ID and secret access key. Some requests do not need to be signed, such as anonymous requests to Amazon Simple Storage Service (Amazon S3) and some API operations in AWS Security Token Service (AWS STS) such as AssumeRoleWithWebIdentity.


You need to learn how to sign HTTP requests only when you manually create them. When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.

To learn how to create, view, and download access key IDs and secret access keys, see Programmatic access.

When to sign requests

When you write custom code to send HTTP requests to AWS, you need to include code to sign the requests. You might do this for the following reasons:

  • You are working with a programming language for which there is no AWS SDK.

  • You want complete control over how a request is sent to AWS.

You don't need to sign a request when you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs. These tools manage the connection details, such as calculating signatures, handling request retries, and error handling. In most cases, they also contain sample code, tutorials, and other resources to help you get started writing applications that interact with AWS.

Why requests are signed

The signing process helps secure requests in the following ways:

  • Verify the identity of the requester

    Signing makes sure that the request has been sent by someone with a valid access key. For more information, see Understanding and getting your AWS credentials.

  • Protect data in transit

    To prevent tampering with a request while it's in transit, some of the request elements are used to calculate a hash (digest) of the request, and the resulting hash value is included as part of the request. When an AWS service receives the request, it uses the same information to calculate a hash and matches it against the hash value in your request. If the values don't match, AWS denies the request.

  • Protect against potential replay attacks

    In most cases, a request must reach AWS within five minutes of the time stamp in the request. Otherwise, AWS denies the request.

Signing requests

To sign a request, you first calculate a hash (digest) of the request. Then you use the hash value, some other information from the request, and your secret access key to calculate another hash known as the signature. Then you add the signature to the request in one of the following ways:

  • Using the HTTP Authorization header.

  • Adding a query string value to the request. Because the signature is part of the URL in this case, this type of URL is called a presigned URL.

Signature versions

AWS supports two signature versions: Signature Version 4 and Signature Version 2. You should use Signature Version 4. All AWS services support Signature Version 4, except Amazon SimpleDB which requires Signature Version 2. For AWS services that support both versions, we recommend that you use Signature Version 4.

All AWS Regions support Signature Version 4.