Amazon DevPay
Developer Guide (API Version 2007-12-01)

Query String Authentication with Desktop Products


Amazon DevPay is not accepting new seller accounts at this time. Please see AWS Marketplace for information on selling your applications on Amazon Web Services.

Amazon Simple Storage Service users can give direct third-party access to their private Amazon S3 data, without proxying the request. They do this by constructing a "pre-signed" request and encoding it as a URL that can be used in a browser. This feature is commonly referred to as query string authentication or pre-signed URLs. For complete information about the Amazon S3 query string authentication feature, see the REST authentication section in the Amazon Simple Storage Service Developer Guide.


Query string authentication is designed for use by web products, not desktop products. Although it's technically possible that your desktop product could use the feature, we strongly discourage it because it's a less secure way for your desktop product to access a customer's bucket. Any request your desktop product makes using query string authentication exposes the product token in clear text, enabling anyone to get the product token and use it maliciously to your detriment. Using a regular call without query string authentication doesn't expose the product token in clear text, making it the more secure option. Web products can make calls using query string authentication without including the product token if they're using a user token created after May 15, 2008. Desktop products cannot.

If you have a desktop product but still want to use query string authentication, we recommend you enable a server to run a web (hosted) interface to your product, set up the server to handle query string authentication, and have your customers use that web interface. Thereafter, to use your product, the customers could use their desktop client or the web interface (their subscription covers both). In this case, you need to activate the customer's use of the product twice: once with ActivateDesktopProduct (for use with the desktop client) and once with ActivateHostedProduct (for use with the web interface). For more information about creating a DevPay web product, see Setting Up Web Products. For information about using query string authentication with a web product, see Query String Authentication with Web Products.