The Object Storage Service (OSS) signature mechanism is used to verify the identity of the request sender and the validity of the request to prevent unauthorized access and data tampering. OSS supports V1 and V4 signature algorithms. The V4 signature algorithm uses the OSS4-HMAC-SHA256 hash algorithm and a more complex signature calculation process to ensure the security of data interaction. As a result, the V4 signature algorithm is more secure than the V1 signature algorithm. This topic describes how to upgrade a V1 signature to a V4 signature.
From March 1, 2025, the V1 signature algorithm of OSS is no longer available to new customers with new UIDs. From September 1, 2025, OSS no longer updates and maintains the V1 signature algorithm, and the V1 signature algorithm is no longer available for new buckets. Upgrade V1 signatures to V4 signatures at the earliest opportunity to prevent impact on your business.
Automatically calculate V4 signatures
The V4 signature calculation process is complicated. A minor calculation deviation may cause the request to be invalid. We recommend that you use OSS SDKs to initiate requests. OSS SDKs provide a built-in V4 signature mechanism that automatically calculates the signature. This eliminates the need to manually compile and debug code to calculate V4 signatures. You can use OSS SDKs to whose version supports the V4 signature based on the programming language or platform that you use.
When you use OSS SDKs and ossutil2.0 to automatically calculate V4 signatures, specify the endpoints and the Alibaba Cloud region ID as the identifier of the region from which the request is initiated. Example: cn-hangzhou
. For more information, see Regions and endpoints.
SDK | Required version | References |
Java SDK | 3.17.4 and later | |
PHP SDK | 2.7.0 and later | |
Node.js SDK | 6.20.0 and later | |
Python SDK | 2.18.4 and later | |
Browser.js SDK | 6.20.0 and later | |
.NET SDK | 2.14.0 and later | |
Go SDK | 3.0.2 and later | |
C++ SDK | 1.10.0 and later | |
C SDK | 3.11.0 and later |
Manually calculate V4 signatures
If you cannot use OSS SDKs, you can manually calculate V4 signatures by using one of the following methods, and then access OSS resources by using the V4 signatures.
Signature method | Description | References |
Include a V4 signature in the Authorization header | In OSS, the Authorization header is the most common method that is used to provide authentication information. Except for POST requests and requests that are signed by using query parameters, all OSS operations use the Authorization header for authentication. | (Recommended) Include a V4 signature in the Authorization header |
Include a V4 signature in a URL | You can generate a pre-signed URL that contains a V4 signature and other necessary request information. This way, you can grant third-party users temporary access permissions on specific OSS resources without exposing your access credentials. | |
Include a V4 signature in a PostObject request | The PostObject operation allows you to upload an object to an OSS bucket by using an HTML form. This signature method allows you to construct an HTML form on a client, such as a Web browser. The HTML form contains the fields related to the object that you want to upload and other necessary parameters, such as Signature, OSSAccessKeyId, BucketName, and key. When the HTML form is submitted, the information is sent to OSS by initiating a PostObject request. OSS verifies the validity of the PostObject request. |