Query Request Authentication

Every Query request requires an HMAC-SHA1 signature. The signature is used as the value for the Signature parameter in the URL being constructed. The string you use to compute the HMAC signature is constructed using one of two methods described below.

	Important
For both signature methods, do not URL encode the concatenated string before computing the signature. URL encode the computed signature and other query parameters as specified in RFC1738, section 2.2. In addition, make sure to encode the + character although it is not required by RFC1738. This is required because the + character is interpreted as a blank space by Sun Java classes that perform URL decoding.

Important

For both signature methods, do not URL encode the concatenated string before computing the signature. URL encode the computed signature and other query parameters as specified in RFC1738, section 2.2. In addition, make sure to encode the + character although it is not required by RFC1738. This is required because the + character is interpreted as a blank space by Sun Java classes that perform URL decoding.

Signature Version 1

Signature version 1 is the recommended and more secure method of signing requests. This version catches spoofing of any of the request parameters.

To calculate a signature (version 1)

Create the string you'll use when generating the signature:

Sort all request parameters alphabetically, ignoring case.
Include SignatureVersion in the list but not Signature. Do not list as "empty" any optional parameters that are not included in the request. In other words, if no value for ParameterA is specified in the request, do not include a ParameterA entry in this sorted list.
Form a string by concatenating each request parameter's name with its value.
The format of the string is:
```
Param-name1Param-value1Param-name2Param-value2...Param-nameNParam-valueN
```
The parameter names are case sensitive. Do not include any separators in this string, such as question marks (?), ampersands (&), or equals signs (=). Do not URL encode the parameter values.
For example, given the following request:
```
?Action=CreateQueue
&QueueName=queue2
&AWSAccessKeyId=0A8BDF2G9KCB3ZNKFA82
&SignatureVersion=1
&Expires=2007-01-12T12:00:00Z
&Version=2006-04-01
```
This is the string to be signed:
```
ActionCreateQueueAWSAccessKeyId0A8BDF2G9KCB3ZNKFA82Expires2007-01-12T12:00:00ZQueueNamequeue2SignatureVersion1Version2006-04-01						
```

Calculate an RFC 2104-compliant HMAC-SHA1 signature, using your Secret Access Key as the key and the string you just created.
For more information, see http://www.faqs.org/rfcs/rfc2104.html.
Convert the resulting value to base64.
For the string above, assuming the secret access key is fake-secret-key, this is the base64 encoded value:
```
wlv84EOcHQk800Yq6QHgX4AdJfk=
```
URL encode the resulting value as specified in RFC 1738, section 2.2.
This is required because base64 encoding can result in characters that are not legal in a URL, such as plus signs (+), slashes (/), and equals signs (=).
For the signature above, this is the URL encoded value:
```
wlv84EOcHQk800Yq6QHgX4AdJfk%3D
```
Pass this final value in the Signature request parameter.

	Tip
If you're using the Query API and signature version 1, you can use the Amazon SQS scratchpad to help you troubleshoot authentication issues. The scratchpad is a simple HTML and JavaScript application that allows you to explore the 2008-01-01 Amazon SQS API without writing any code. The tool constructs a Query request and shows the string to sign and the final signature that you would include in the request. To download the scratchpad, go to http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1254&categoryID=30.

Tip

If you're using the Query API and signature version 1, you can use the Amazon SQS scratchpad to help you troubleshoot authentication issues. The scratchpad is a simple HTML and JavaScript application that allows you to explore the 2008-01-01 Amazon SQS API without writing any code. The tool constructs a Query request and shows the string to sign and the final signature that you would include in the request. To download the scratchpad, go to http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1254&categoryID=30.

The following is a Java code snippet that shows how to construct the string.

/*
* Assumes parameters are in a java.util.Map named paramMap
* where the key is the parameter name.
*/
Set<String> sortedKeys = new TreeSet<String>(String.CASE_INSENSITIVE_ORDER);
sortedKeys.addAll(paramMap.keySet());

// Don't include Signature in the string to sign.
sortedKeys.remove(“Signature”);

StringBuilder stringBuilder = new StringBuilder();
for(String key : sortedKeys) {
    stringBuilder.append(key);
    stringBuilder.append(paramMap.get(key));
    }

System.out.println("String to sign : " + stringBuilder.toString());

Signature Version 0

Signature Version 0 is a less secure, but simpler method to sign requests. The SignatureVersion query parameter is not necessary when using this version.

To calculate a signature (version 0)

Concatenate the values of the Action and Timestamp request parameters, in that order.

You can use the Expires parameter instead of Timestamp.

Calculate an RFC 2104-compliant HMAC-SHA1 signature, using your Secret Access Key as the key.
For more information, see http://www.faqs.org/rfcs/rfc2104.html.
Convert the resulting value to base64.
URL encode the resulting value as specified in RFC 1738, section 2.2
This is required because base64 encoding can result in characters that are not legal in a URL, such as plus signs (+), slashes (/), and equal signs (=).
Pass the final value in the Signature request parameter.