# API Request Signature


In order to authenticate legitimate users, the Exoscale API requires incoming requests to be signed using valid Exoscale API account credentials with the following mechanism.

## Signature Mechanism

The *message* (i.e. content) to sign contains several segments concatenated using a line return character (`\n`).

All segments must be included and in the described order. For cases where a segment doesn't fit the context of the request (e.g. no request body) **an empty line must be used instead**.

* Request method and request URL (path only), separated by a space character
* Request body
* Request URL parameters (Query String) values, concatenated without separator. The matching parameter names have to be specified in the resulting signature header `signed-query-args=` pragma, separated by semicolons (e.g. `p1;p2;pN`).
* Request header values, concatenated without separator (none at the moment, leave empty)
* Request expiration date in UNIX timestamp format

Example *message* to sign for `GET /v2/resource/a02baf5a-a3e4-49a0-857b-8a08d276c1c0?p1=v1&p2=v2`:

```
GET /v2/resource/a02baf5a-a3e4-49a0-857b-8a08d276c1c0

v1v2

1599140767
```

The two blank lines above are due to the absence of a request body and signed headers.

Example *message* to [create a security group](https://openapi-v2.exoscale.com/operation/operation-create-security-group)

```
POST /v2/security-group
{"name": "my-security-group"}


1599140767
```

The two blank lines above are due to the absence of query parameters and signed headers.

The request signature consists of the base64-encoded [HMAC](https://en.wikipedia.org/wiki/HMAC) hash of the UTF-8 encoded *message* and the Exoscale API secret using the SHA265 function:

```
signature = BASE64_ENCODE(HMAC_SHA256(Exoscale API secret, message))
```

Finally, the computed signature must be added to the API request in a `Authorization` header such as:

```
Authorization: EXO2-HMAC-SHA256 credential=<Exoscale API key>,expires=<expiration date UNIX timestamp>,signature=<signature>
```

Example API query:

```
GET /v2/resource/a02baf5a-a3e4-49a0-857b-8a08d276c1c0?p1=v1&p2=v2 HTTP/1.1
Host: api-ch-gva-2.exoscale.com
Authorization: EXO2-HMAC-SHA256 credential=EXO29147e9f89102b7ac1e88514,signed-query-args=p1;p2,expires=1599140767,signature=2AOBQsbElQb4FpKT/FM/9T4NobjlmZkSGvvdUth/xlY=
```

## Reference Implementations

You can look up the following existing reference implementations:

* Go: [github.com/exoscale/egoscale/api/v2 > `SecurityProviderExoscale.signRequest`](https://github.com/exoscale/egoscale/blob/master/v2/api/security.go)
* Python: [requests-exoscale-auth > `ExoscaleV2Auth`](https://github.com/exoscale/requests-exoscale-auth/blob/master/exoscale_auth.py)