Amazon DevPay
Developer Guide (API Version 2007-12-01)

Making Amazon S3 REST Calls with Desktop Products


Amazon DevPay is not accepting new seller accounts at this time. Please see AWS Marketplace for information on selling your applications on Amazon Web Services.

Your product will make calls to the Amazon Simple Storage Service on behalf of a customer. These calls are part of the overall process desktop products follow to work with Amazon DevPay (for more information, see Overall Authentication Process).

Your product's Amazon S3 requests must be REST requests. Amazon S3 SOAP requests are not supported with DevPay. This section describes how to make REST requests.

Alternately, your desktop product could use Amazon S3 POSTs or pre-signed URLs to access Amazon S3, but for security reasons, we don't recommend you use those with a DevPay desktop product. For more information about those methods, see Query String Authentication with Desktop Products and Amazon S3 POST with Desktop Products.

Making a REST request to Amazon S3 with DevPay is similar to making a REST request for Amazon S3 without DevPay. These are the differences:

  • Your product must include the product token and the user token in the Amazon S3 REST request

  • Your product must sign the request using the customer's Secret Access Key and provide the customer's Access Key ID in the request instead of your own


    Do not distribute your own Secret Access Key with your product.

Adding the Tokens to Amazon S3 REST Requests

Each request for Amazon S3 that your desktop product makes on behalf of a customer must be a REST request that includes the product token for your product and the user token for the customer. You include the tokens in the REST request by adding two x-amz-security-token headers: one to hold the product token, and one to hold the user token.

The following example shows a basic Amazon S3 PUT request that a product registered with DevPay could make on behalf of a customer.

PUT/ bucketname/objectname HTTP/1.0 Content-Length: 0 Host: Date: Wed, 12 Dec 2007 03:40:41 GMT Authorization: AWS 0GS7553JW74RRM612K02EXAMPLE:frJIUN8DYpKDtOLCwo//yllqDzgEXAMPLE= x-amz-security-token: {UserToken}AAAHVXNlclRrbgfOpSykBAXO7g/zG....[long encoded token]... x-amz-security-token: {ProductToken}MIIBzTCCATagAwIBAgIGARB1qe....[long encoded token]...

Alternately, you can add a single x-amz-security-token header with the product token and user token separated by a comma.

Amazon S3 returns two errors related to the user token: ExpiredToken and InvalidToken. For more information about the errors Amazon S3 returns, see the Amazon Simple Storage Service Developer Guide.

Signing the Amazon S3 REST Request

DevPay requests for Amazon S3 are not anonymous, so they require authentication. In general, you sign REST requests for Amazon S3 with DevPay the same way you sign REST requests without DevPay.

The main difference between REST requests with and without DevPay is whose credentials you use for the signature. For requests without DevPay, you use your own credentials. For requests with DevPay, you use the customer's credentials. This means you include the customer's Access Key ID instead of your own in the Authorization header, and you use the customer's Secret Access Key to create the signature.

The Amazon S3 documentation instructs you to include all headers that start with x-amz in the string to sign. This means that you must include the two x-amz-security-token headers when creating the signature. For more information, see the Amazon Simple Storage Service Developer Guide.