DocsICP FilingConsole
官方文档
首页

Signature algorithm for HTTP/HTTPS event targets

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes the signature algorithm that EventBridge uses when pushing events to HTTP/HTTPS event targets.

Background information

In the EventBridge model, events are delivered from event sources to event buses, filtered and transformed by event rules, and then forwarded to event targets for processing. HTTP/HTTPS event targets typically need to expose a public endpoint to receive events pushed by EventBridge. To ensure data security, HTTP/HTTPS event targets need to verify that incoming requests originate from EventBridge.

How EventBridge signs requests

  1. EventBridge builds the string-to-sign.

    For more information about the string-to-sign format, see String-to-sign format.

  2. EventBridge computes a SHA256 hash of the string-to-sign, and writes the hash algorithm name to the x-eventbridge-hash-method header.

  3. EventBridge signs the hash with an RSA private key, Base64-encodes the result, and writes the value to the x-eventbridge-signature-v2 header.

  4. EventBridge writes the current timestamp to the x-eventbridge-signature-timestamp header.

  5. EventBridge writes the public key certificate URL to the x-eventbridge-signature-url header.

How to verify the signature

  1. The event target retrieves the timestamp from the x-eventbridge-signature-timestamp header.

    • If the current time differs from the timestamp by more than 60 seconds, the event target considers the request expired to prevent replay attacks.

    • If the current time differs from the timestamp by no more than 60 seconds, continue with the following verification steps.

  2. The event target checks whether x-eventbridge-signature-url is an official EventBridge certificate URL, that is, whether the domain matches the format https://[RegionId]-eventbridge.oss-accelerate.aliyuncs.com.

    • If the URL is from an official EventBridge certificate source, the event target retrieves the public key from the URL specified in x-eventbridge-signature-url.

    • If the URL is not from an official EventBridge certificate source, the event target considers the request did not originate from EventBridge and rejects it.

  3. The event target builds the string-to-sign.

    For more information about the string-to-sign format, see String-to-sign format.

  4. The event target uses the public key retrieved in step 2 to compute a hash of the string-to-sign and verifies the RSA signature in the x-eventbridge-signature-v2 header.

    • If verification succeeds, the request originated from EventBridge and the event target accepts and processes the event.

    • If verification fails, the request did not originate from EventBridge and the event target rejects it.

String-to-sign format

StringToSign = URL + "\n" + EventBridge fixed headers + "\n" + body

Where:

  • URL: The complete target address, including schema, domain, path, and query parameters. For example: https://example.com/api/v1/events?key1=value1

  • EventBridge fixed headers: The EventBridge-defined headers carried in the RequestHeader of the request, joined with \n.

  • body: The raw request body, encoded in UTF-8.

The EventBridge fixed headers must appear in the following order:

  • x-eventbridge-signature-timestamp: The timestamp when the request was sent. If the interval between the sending time and the receiving time exceeds 60 seconds, the timestamp is considered expired, causing signature generation to fail and preventing replay attacks.

  • x-eventbridge-hash-method: The hash algorithm. Fixed at SHA256 for the current version. When verifying the signature, the event target must use the algorithm specified in this field to hash the string-to-sign, then perform RSA signature verification.

  • x-eventbridge-signature-version: The signature version. Default: 1.0.

  • x-eventbridge-signature-url: The signing certificate URL.

  • x-eventbridge-signature-token: A custom signature token. This parameter is optional. If specified, you must pass this token when generating the signature on the client side. For details, see Route events to an HTTP endpoint.

Important

The EventBridge fixed headers must be passed in the exact order listed above, joined with "\n". For example:

"x-eventbridge-signature-timestamp: 1777258182789" + "\n" +
"x-eventbridge-hash-method: SHA256" + "\n" +
"x-eventbridge-signature-version: 1.0" + "\n" +
"x-eventbridge-signature-url: https://cn-hangzhou-eventbridge.oss-accelerate.aliyuncs.com/x509_public_certificate_2021012501.pem"

Reference implementation

EventBridge provides an open-source Java reference implementation to help you understand the signature verification flow:

Previous:Event target parametersNext:Target service types