HMAC-SHA256 Signatures for REST Requests
This section describe how Product Advertising API uses HMAC-SHA256 signatures to authenticate REST requests.
The following parameters are used by Product Advertising API for REST authentication:
- Signature — Required
There is no default value. A signature is created by using the request type, domain, the URI, and a sorted string of every parameter in the request (except the Signature parameter itself) with the following format
<parameter>=<value>&. After it's properly formatted, create a base64-encoded HMAC-SHA256 signature with your AWS secret key. For more information, see Example REST Requests.
- Timestamp — Required
There is no default value. The time stamp you use in the request must be a
dateTimeobject, with the complete date, including hours, minutes, and seconds. This is a fixed-length subset of the format defined by ISO 8601, represented in Universal Time (GMT):
YYYY-MM-DDThh:mm:ssZ(where T and Z are literals). For more information, see Date and Time Formats.
If you are using .NET, you should not send overly specific time stamps, due to differing
interpretations of how extra time precision should be dropped. To avoid overly
specific time stamps, manually construct
dateTime objects with no more
than millisecond precision.
Basic Authentication Process
The following describes the steps required to authenticate requests to AWS using an HMAC-SHA256 request signature.
You construct a request to AWS.
You calculate a keyed-hash message authentication code (HMAC-SHA256) signature with your secret access key. For information about HMAC, see RFC2104.
You include the signature and your access key ID in the request, and then send the request to AWS.
The Product Advertising API uses your access key ID to look up your secret access key.
Product Advertising API generates a signature from the request data and the secret access key with the same algorithm you used to calculate the signature you sent in the request.
If the signature generated by AWS matches the one you sent in the request, the request is considered authentic. If the comparison fails, the request is discarded, and AWS returns an error response.
Steps you perform
Steps AWS performs