Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)

Request Authentication and Amazon SES

When you make a request to the Amazon SES API, you must provide proof that you are truly the account holder so that Amazon SES can verify your identity and whether you are registered to use services offered by AWS. If either test fails, Amazon SES returns an error and does not process the request.

Authentication Process

To provide proof of your identity, you must provide the following items as part of the X-Amzn-Authorization HTTPS header in your request to the Amazon SES API:

  • AWSAccessKeyId—Your AWS account is identified by your access key ID, which AWS uses to look up your secret access key. For information about how to get your access key ID, see Getting Your AWS Access Keys.

  • Signature—Each request must contain a valid request signature, or the request will be rejected. A request signature is calculated using your secret access key, which is a shared secret known only to you and AWS.


    Amazon SES supports signature version 3 and version 4. Version 4 is preferred. For information about using signature version 4, see Signature Version 4 Signing Process in the AWS general reference documentation.

  • Algorithm—Identify which HMAC hash algorithm you used to calculate your signature, either SHA256 or SHA1. For information about HMAC, go to

When Amazon SES receives your request, it does the following:

  1. Uses the access key ID to look up your secret access key.

  2. Generates a signature from the request data and the secret access key using the same algorithm you used to calculate the signature you sent in the request.

  3. If the signature generated by Amazon SES matches the one you sent in the request, Amazon SES handles the request. If the comparison fails, the request is discarded, and Amazon SES returns an error response.

To create the X-Amzn-Authorization header

  1. Create a Date header to be used in the request. For more information, go to

    Here is an example of what a Date header might look like:

    Date: Tue, 25 May 2010 21:20:27 +0000
  2. To create the string to sign, calculate an RFC 2104-compliant HMAC hash with the Date header value, your secret access key as the key, and SHA256 or SHA1 as the hash algorithm. For more information, go to


    Use only the value of the header when calculating the hash; do not include the word "Date", nor the trailing colon and space.

  3. To create the request signature, convert the HMAC hash to base64. The resulting value is the signature for this request.

  4. Create an X-Amzn-Authorization header, consisting of the following elements:

    1. AWS3-HTTPS.

    2. AWSAccessKeyId=your AWS Access Key ID.

    3. Algorithm=the algorithm you used when creating the string to sign—either HmacSHA1 or HmacSHA256.

    4. Signature=the signature for this request.

    All of the elements, except for AWS3-HTTPS, must be separated by commas.

    Here is an example of what an X-Amzn-Authorization header might look like, using placeholders for the AWS Access Key ID and the signature:

    X-Amzn-Authorization: AWS3-HTTPS AWSAccessKeyId=<Your AWS Access Key ID>, Algorithm=HmacSHA256, Signature=<Signature>