Product Advertising API
Developer Guide (API Version 2013-08-01)

HMAC-SHA256 Signatures for REST Requests

This section describe how Product Advertising API uses HMAC-SHA256 signatures to authenticate REST requests.

Authentication Parameters

The following parameters are used by Product Advertising API for REST authentication:

Signature — Required

There is no default value. A signature is created by using the request type, domain, the URI, and a sorted string of every parameter in the request (except the Signature parameter itself) with the following format <parameter>=<value>&. After it's properly formatted, create a base64-encoded HMAC-SHA256 signature with your AWS secret key. For more information, see Example REST Requests.

Timestamp — Required

There is no default value. The time stamp you use in the request must be a dateTime object, with the complete date, including hours, minutes, and seconds. This is a fixed-length subset of the format defined by ISO 8601, represented in Universal Time (GMT): YYYY-MM-DDThh:mm:ssZ (where T and Z are literals). For more information, see Date and Time Formats.


If you are using .NET, you should not send overly specific time stamps, due to differing interpretations of how extra time precision should be dropped. To avoid overly specific time stamps, manually construct dateTime objects with no more than millisecond precision.

Basic Authentication Process

The following describes the steps required to authenticate requests to AWS using an HMAC-SHA256 request signature.

  1. You construct a request to AWS.

  2. You calculate a keyed-hash message authentication code (HMAC-SHA256) signature with your secret access key. For information about HMAC, see RFC2104.

  3. You include the signature and your access key ID in the request, and then send the request to AWS.

  4. The Product Advertising API uses your access key ID to look up your secret access key.

  5. Product Advertising API generates a signature from the request data and the secret access key with the same algorithm you used to calculate the signature you sent in the request.

  6. If the signature generated by AWS matches the one you sent in the request, the request is considered authentic. If the comparison fails, the request is discarded, and AWS returns an error response.

Steps you perform

Steps AWS performs