Help Center > Object Storage Service > API Reference > Authenticating a Request > V2 Temporarily Authorized Requests

V2 Temporarily Authorized Requests

In OBS, registered and activated users can use their accounts to construct a URL for a specific operation. Such a URL contains the authentication information, and all users that have this URL can perform this specific operation. With temporary authorization for an object, all users that have the URL can download the object. The URL is valid only before the time specified by Expires. After a user issues temporary authorization but does not provide this user's secret access key, other users can use this user's identity to perform the operations defined by this user.

V2 temporarily authorized requests are in the following format:

GET /ObjectKey?AWSAccessKeyId=AccessKeyID&Expires=ExpiresValue&Signature=signature HTTP/1.1

The required authentication elements are specified as query string parameters, as described in Table 1.

Table 1 Temporarily authorized request parameters



Required or Optional


Indicates the AK of the permission grantor.

Type: string



Indicates the time (expressed in seconds) when the temporarily authorized URL expires. The time must be in Coordinated Universal Time (UTC) format and later than 00:00:00 on January 1, 1970.

Type: string



Indicates the signature generated using the SK and parameter Expires.

Type: string


The temporarily authorized signature algorithm differs from the authorization header in the following aspects:

  • The signature is both Base64 and URL encoded.
  • Expires in StringToSign corresponds to Date in authorization information.
StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Expire + "\n" + CanonicalizedOBSHeaders + CanonicalizedResource

Signature = URL-Encode(Base64( HMAC-SHA1( UTF-8-Encoding-Of(YourSecretAccessKeyID, StringToSign ) ) ))