PE
Protocol Explorer
AWS SigV4

AWS SigV4 — API Request

Authenticating an AWS API request using Signature Version 4. This scenario shows an STS GetCallerIdentity call, detailing the 4-step signing process.

AWS Docs
Client ApplicationAWS STS1POST /200
POST https://sts.us-east-1.amazonaws.com/200

The client sends a signed request to AWS STS. AWS SigV4 requires calculating a canonical request hash, building a string to sign, deriving a daily scoped signing key from the secret access key, and generating an HMAC-SHA256 signature.

The canonical request includes the HTTP method, URI, query string, headers, signed header names, and a SHA256 hash of the payload.

The signing key is derived hierarchically: Secret Key → Date → Region → Service → 'aws4_request'. This scopes the key so a leaked derived key is only valid for one service in one region for one day.

The X-Amz-Date header must be within 5 minutes of the server clock to prevent replay attacks.

1 / 1
speed

Step 1: POST /

Request / response
POSThttps://sts.us-east-1.amazonaws.com/
Content-Type?

application/x-www-form-urlencoded

Host

sts.us-east-1.amazonaws.com

X-Amz-Date

20260417T120000Z

AuthorizationOAuth?

AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20260417/us-east-1/sts/aws4_req…

Body
Action=GetCallerIdentity&Version=2011-06-15
Cryptographic Signature

Construction Steps

1. 1. Create Canonical Request
POST
/

content-type:application/x-www-form-urlencoded
host:sts.us-east-1.amazonaws.com
x-amz-date:20260417T120000Z

content-type;host;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2. 2. Create String to Sign
AWS4-HMAC-SHA256
20260417T120000Z
20260417/us-east-1/sts/aws4_request
3511de7e05fc43d274dc597ffc640e0ec0fbcf26630f9a2e9b11110debd4dfd0
3. 3. Calculate Signature (Derive Key)
kDate = HMAC("AWS4" + wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY, "20260417")
kRegion = HMAC(kDate, "us-east-1")
kService = HMAC(kRegion, "sts")
kSigning = HMAC(kService, "aws4_request")

Signature = HexEncode(HMAC(kSigning, StringToSign))
4. 4. Build Authorization Header
AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20260417/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=be7148d34ebccdc6423b19085378aa0cb971d4dd1cb465a3962d3a3c9e37d5cb

Signature Base String

AWS4-HMAC-SHA256
20260417T120000Z
20260417/us-east-1/sts/aws4_request
3511de7e05fc43d274dc597ffc640e0ec0fbcf26630f9a2e9b11110debd4dfd0

Signing Key

Derived key (Date → Region → Service → aws4_request)

Signature Output

be7148d34ebccdc6423b19085378aa0cb971d4dd1cb465a3962d3a3c9e37d5cb