Amazon DevPay
Developer Guide (API Version 2007-12-01)

Authentication of SOAP Requests


Amazon DevPay is not accepting new seller accounts at this time. Please see AWS Marketplace for information on selling your applications on Amazon Web Services.

Which Requests Need to Be Authenticated?

Authentication requirements for the License Service requests vary for desktop products and web products:

Desktop Products

HTTPS required

Web Products

WS-Security and HTTPS required

About WS-Security

WS-Security, which is officially called Web Services Security: SOAP Message Security, is an open standard published by OASIS that defines mechanisms for signing and encrypting SOAP messages. The License Service supports version 1.0 of the WS-Security specification. For more information and a link to the WS-Security 1.0 specification, go to the OASIS-Open web site for WS-Security.


The easiest way to comply with the WS-Security requirements is to use a SOAP toolkit that supports WS-Security 1.0 and X.509 certificates.

What Needs to Be Signed

You must sign the Timestamp element, and if you're using WS-Addressing, we recommend you also sign the Action header element. Alternately, you can instead sign Timestamp, Body, the Action header element, and the To header element. For information about WS-Addressing, go to

Message Expiration

AWS requires request messages to expire so they can't be used in malicious replay attacks. The best practice for specifying the expiration of SOAP/WS-Security requests is to include a Timestamp element with an Expires child element. In this case, the message expires at the time established in the Expires element.

If no Timestamp element is present in the request, the request is rejected as invalid. If you include a Timestamp element with a Created child element but no Expires child element, the message expires 15 minutes after the value of the Created element.