Amazon DevPay
Developer Guide (API Version 2007-12-01)

Making Amazon S3 REST Calls with Web Products


Amazon DevPay is not accepting new seller accounts at this time. Please see AWS Marketplace for information on selling your applications on Amazon Web Services.

Your product will make calls to the Amazon Simple Storage Service on behalf of a customer. These calls are part of the overall process web products follow to work with Amazon DevPay (for more information, see Overall Authentication Process).

Your product's Amazon S3 requests must be REST requests, Amazon S3 POSTs, or pre-signed URLs. Amazon S3 SOAP requests are not supported with Amazon DevPay. This section describes how to make REST requests. For information about using pre-signed URLs with your web product, see Query String Authentication with Web Products. For information about using Amazon S3 POSTs with your web product, see Query String Authentication with Web Products.

Making a REST request to Amazon S3 with DevPay is similar to making a REST request for Amazon S3 without DevPay. The only difference is that your product must include the product token and the user token in the Amazon S3 request. This has implications for forming the request and for signing the request.


For web products only, the product token is optional in the REST request if the web product is using the new version of the user token that ActivateHostedProduct began returning after May 15, 2008. To ensure that a web product user token is the new version, use the RefreshUserToken action.

Adding the Tokens to Amazon S3 REST Requests

Each Amazon S3 REST request that your web product makes on behalf of a customer must include the customer's user token. You include the user token in the REST request by adding an x-amz-security-token header. If you need to pass the product token, you can use the same header and include both the user token and the product token separated by a comma. Alternately, you can include a second x-amz-security-token header with the product token.


If your web product has a user token created on or before May 15, 2008, each Amazon S3 REST request from your product must include the product token. Calls to ActivateHostedProduct made after that date return a new type of user token that eliminates the need to include the product token in the Amazon S3 request.

The following example shows a basic Amazon S3 PUT request that a product registered with DevPay could make on behalf of a customer.

PUT/ bucketname/objectname HTTP/1.0 Content-Length: 0 Host: Date: Sat, 17 May 2008 03:40:41 GMT Authorization: AWS 0GS7553JW74RRM612K02EXAMPLE:frJIUN8DYpKDtOLCwo//yllqDzgEXAMPLE= x-amz-security-token: {UserToken}AAAHVXNlclRrbgfOpSykBAXO7g/zG....[long encoded token]... x-amz-security-token: {ProductToken}MIIBzTCCATagAwIBAgIGARB1qe....[long encoded token]...

Amazon S3 returns two errors related to the user token: ExpiredToken and InvalidToken. For more information about the errors Amazon S3 returns, see the Amazon Simple Storage Service Developer Guide.

Signing the Amazon S3 REST Request

DevPay requests for Amazon S3 are not anonymous, so they require authentication. You sign the request essentially the same way you sign a request without DevPay. You still use your own Secret Access Key and Access Key ID.

The Amazon S3 documentation instructs you to include all headers that start with x-amz in the string to sign. This means that you must include any x-amz-security-token headers when creating the signature. For more information, see the Amazon Simple Storage Service Developer Guide.