AUTHENTICATION
AWS Signature V4
Sign requests to AWS services using the AWS Signature Version 4 algorithm — the standard authentication mechanism for all AWS API calls.
How It Works
AWS Signature V4 is a multi-step signing process that authenticates every request to an AWS service. API Studio handles the entire process automatically — you just provide your credentials, region, and target service.
Configuration
Select AWS Signature V4 from the Auth type dropdown. Four fields are required:
| Field | Description | Example |
|---|---|---|
| accessKey | Your AWS Access Key ID | AKIAIOSFODNN7EXAMPLE |
| secretKey | Your AWS Secret Access Key | wJalrXUtnFEMI/K7MDENG/... |
| region | AWS region of the target service | us-east-1 |
| service | AWS service identifier | dynamodb |
Generated Headers
After signing, these headers are automatically added to your request:
| Header | Value |
|---|---|
| Authorization | AWS4-HMAC-SHA256 Credential=.../.../.../aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=... |
| X-Amz-Date | ISO 8601 timestamp (e.g. 20240315T120000Z) |
| X-Amz-Content-Sha256 | SHA-256 hash of the request body (hex-encoded) |
| Host | Target service hostname (e.g. dynamodb.us-east-1.amazonaws.com) |
You can inspect all generated headers in the Actual Request tab after sending.
Variable Support
All four configuration fields support {{variable}} placeholders. Variables are interpolated before the signing process begins.
Recommended setup:
Access Key: {{aws_access_key}}
Secret Key: {{aws_secret_key}}
Region: {{aws_region}}
Service: dynamodb
💡 Tip: Store your AWS credentials in the Secret Vault and reference them as {{aws_access_key}} and {{aws_secret_key}}. This keeps secrets encrypted at rest and out of your environment files.
Examples
Example: Calling DynamoDB
POST https://dynamodb.us-east-1.amazonaws.com/
Auth: AWS Signature V4
Access Key: {{aws_access_key}}
Secret Key: {{aws_secret_key}}
Region: us-east-1
Service: dynamodb
Headers:
Content-Type: application/x-amz-json-1.0
X-Amz-Target: DynamoDB_20120810.ListTables
Body (JSON):
{ "Limit": 10 }
Example: Calling S3
GET https://my-bucket.s3.eu-west-1.amazonaws.com/data/report.json
Auth: AWS Signature V4
Access Key: {{aws_access_key}}
Secret Key: {{aws_secret_key}}
Region: eu-west-1
Service: s3
The signing process handles both path-style and virtual-hosted-style S3 URLs automatically.
Security Note
Auth credentials appear in multiple places:
- Actual Request tab — shows resolved auth headers with real values
- Code Export — generated code includes resolved auth values
- History — saved request headers contain injected auth (scrubbed only if from vault)
- collections.json — auth config saved in plain text (committed to git)
Recommendation: Store sensitive credentials in the Secret Vault and reference them as {{variables}}. Vault secrets are automatically scrubbed from persisted history, and the vault file is AES-256-GCM encrypted — safe to have alongside git-tracked files.