 | Feedback |  |
This section provides detailed explanations for some of the tasks required to generate a signature. A signature is required for every request. For sample code for generating signatures, see Appendix: Sample Code for Signatures.
Web service requests are sent using SSL (HTTPS) across the Internet and are subject to tampering. Amazon FPS uses the signature to determine if any of the parameters or parameter values were changed in a web service request. Amazon FPS requires a signature to be part of every request.
This section explains how to generate the signature.
![[Note]](images/note.png) | Note |
|---|---|
Two values important in the generation of the signature are your AWS Access Key ID and your Secret Key, both of which AWS assigns to you when you sign up for an AWS developer account. For more information, go to the Amazon Flexible Payments Service Getting Started Guide. |
To create a signature
Remove the endpoint from the query request.
Rearrange the parameters (with their values) in the request so they are in alphabetical order. You should use a case-insensitive sorting order.
For an example of sorting, see the example that follows this procedure.
Concatenate the parameters and their values to make one long string so there are no spaces between them.
| Note |
|---|---|
If you have any custom parameters that use uppercase letters in their names, you must convert all of the uppercase letters to lowercase letters before you concatenate the parameters. Spaces within a parameter value, such as within the
If you aren't using a parameter, you do not need to include it in the string. For example, if you don't specify a return URL, you should omit the return URL parameter from the string. |
For an example of concatenation, see the example that follows this procedure.
Remove all equal signs (=), ampersands (&), and the question mark(?).
Instead of the string being of the form
Parameter=Value&Parameter=Value..., the form is
ParameterValueParameterValue....
AccessKeyAW9637827MN6SfCallerReferencew09852d09swSenderDescriptionPremiumCustomerSenderokenId1w098rw0w8r0qfTransactionAmount23.30
Compute a RFC 2104-compliant HMAC signature of the string created in the previous step.
For more information about computing the signature using various computer languages, see Appendix: Sample Code for Signatures.
URL-encode the result using Base64.
Spaces, for example, become encoded as %20.
The resulting value from the encoding process is the signature value. Once you have this value, enter it into the request.
signature=ZXaGGClrUEXAMPLEGI6bH
Example Parameter Sorting and Concatenation
The following tables show an example of raw parameter data, and how you would sort and concatenate the data to use in a signature.
This table lists the parameters and their values in a sample HTML form.
|
Parameter Name |
Value |
|---|---|
|
SenderTokenId |
1w098rw0w8r0qf |
|
AccessKey |
AW9exampleN6Sf (make sure this is your AWS Access Key ID) |
|
TransactionAmount |
23.30 |
|
SenderDescription |
PremiumCustomer |
|
CallerReference |
w09852d09sw |
The next table shows the example parameters sorted alphabetically.
|
Parameter Name |
Value |
|---|---|
|
AccessKey |
AW9637827MN6Sf (make sure this is your access key ID) |
|
CallerReference |
w09852d09sw |
|
SenderDescription |
PremiumCustomer |
|
SenderTokenId |
1w098rw0w8r0qf |
|
TransactionAmount |
23.30 |
The following string shows the concatenated parameters. Notice that there are no spaces between one parameter and the next. There are no ampersands, question marks, or equal signs. Spaces within a parameter, such as within the description text, are allowed. The endpoint is not included.
AccessKeyAW9637827MN6SfCallerReferencew09852d09swSenderDescriptionPremiumCustomerSenderokenId1w098rw0w8r0qfTransactionAmount23.30
Upon receiving a request, Amazon performs the steps in the following table to validate the signature.
Signature Validation Process
| 1 | Decodes the signature in the request. |
| 2 | Reads from the request your AWS Access Key ID. |
| 3 | Uses that ID value to look up the value of your Secret Key. |
| 4 | Removes from the request the signature parameter and its value. |
| 5 | Uses your Secret Key and the remainder of the request to compute the signature of the request. |
| 6 | Compares that signature with the signature in the original request. |
| 7 |
If the signatures match, the request is processed. Otherwise, an error is returned. |
Upon receiving a response from Amazon FPS, your application should check the signature value to confirm that the response was not tampered with. In general, the process is the same as generating a signature except that you first must URL decode the response to get the raw parameter names and values that Amazon FPS used to generate the signature, as described in the preceding process.
