Each time you send an HTTP API request to the Message Service (MNS) server, you must include a signature in the HTTP Authorization header. If the signature included in the header is different from the signature that is calculated by the server, the server rejects the request and returns the 403 SignatureDoesNotMatch error message. This topic describes how to troubleshoot the issue.

Issue

The "403 SignatureDoesNotMatch" error message appears when you can an MNS API operation.

Cause

Each time you send an HTTP API request to the Message Service (MNS) server, you must include a signature in the HTTP Authorization header. If the signature included in the header is different from the signature that is calculated by the server, the server rejects the request and returns the 403 SignatureDoesNotMatch error message.

Solution

To troubleshoot the issue, perform the following steps:

  1. Check whether the specified request URL is valid. For more information, see API request structure.
  2. Check whether the specified AccessKey ID and AccessKey secret are valid. You can use your Alibaba Cloud account to apply for and manage an AccessKey ID and AccessKey secret in the Alibaba Cloud Management Console.
  3. Use Sign requests to verify the signature that is generated.
  4. Check whether the request parameters comply with the specifications of requests. The following list describes the common errors. For more information about the specifications of requests, see Sign requests.
    • The API version is invalid. For more information about the latest API version, see Request structure.
    • The format of the date is invalid.
    • A header that starts with x-mns- does not comply with the specifications.

References

The following example shows how to calculate a signature.
  1. Sample HTTP header: 
    GET /MyQueue HTTP/1.1
Host: 1xxxx0.mns.cn-hangzhou.aliyuncs.com
Date: Thu, 09 Jul 2015 03:01:34 GMT
x-mns-version:2015-06-06
  2. Sample string-to-sign: 
    GET
(Line feed)
(Line feed)
Thu, 09 Jul 2015 03:01:34 GMT
x-mns-version:2015-06-06
/MyQueue
  3. If the AccessKey ID is the value of the TestAccessID parameter and AccessKey secret is the value of the TestAccessSecret parameter, the system calculates a signature by using an encryption algorithm based on the combination of the values and the string-to-sign.