Product Advertising API
Developer Guide (API Version 2013-08-01)

Using SOAP without WS-Security

This section describes how to authenticate SOAP requests without using WS-Security. The topics describe the basic requirements, the required authentication information, and where to place the information in the SOAP request.

General Requirements

If you plan to use SOAP without WS-Security:

  • You can use SOAP 1.1 or SOAP 1.2.

  • You must use HTTPS with your requests.

Required Authentication Information

Authentication of SOAP requests without WS-Security uses your AWS identifiers and an HMAC-SHA256 signature. The request must include the parameters listed in the following table.

Parameter Description


Your AWS access key ID. For more information, see Managing Your Credentials.


This is a required parameter if you include the Signature parameter. Otherwise, it is optional. There is no default value. The time stamp you use in the request must be a dateTime object, with the complete date plus hours, minutes, and seconds. This is a fixed -length subset of the format defined by ISO 8601, represented in Universal Time (GMT): YYYY-MM-DDThh:mm:ssZ (where T and Z are literals).

For more information, see Date and Time Formats.


If you are using .NET you must not send overly specific time stamps, due to different interpretations of how extra time precision should be dropped. To avoid overly specific time stamps, manually construct dateTime objects with no more than millisecond precision.


The HMAC-SHA256 signature calculated from the concatenation of the Action and Timestamp parameters, using your AWS secret access key.

For example, for a request to create a queue, the value of the Signature element would be the HMAC-SHA256 digest of a string like this: ItemLookup2014-09-24T00:00:00Z

For more information about authentication with HMAC signatures, see HMAC-SHA256 Signatures for REST Requests).

To calculate the signature

  1. Concatenate the values of the Action and Timestamprequest parameters, in that order.

    The string you've just created is the string you'll use when generating the signature.

  2. Calculate an RFC 2104-compliant HMAC-SHA256 signature, using the string you just created and your secret access key as the key.

  3. Convert the resulting value to base64.

  4. Pass this final value in the Signature parameter of the SOAP request.

Location of Authentication Information in the Request

With version 2013-08-01, you must provide the authentication information as elements in the SOAP header (using the namespace, as in the following example.

<?xml version="1.0"?> <soap:Envelope xmlns:soap="" soap:encodingStyle=""> <soap:Header xmlns:aws=""> <aws:AWSAccessKeyId>AKIAIOSFODNN7EXAMPLE</aws:AWSAccessKeyId> <aws:Timestamp>2008-02-10T23:59:59Z</aws:Timestamp> <aws:Signature>SZf1CHmQnrZbsrC13hCZS061ywsEXAMPLE</aws:Signature> </soap:Header> ... </soap:Envelope>