← Back to Overview

AUTHENTICATION

AWS Signature V4

Sign requests to AWS services using the AWS Signature Version 4 algorithm — the standard authentication mechanism for all AWS API calls.

How It Works

AWS Signature V4 is a multi-step signing process that authenticates every request to an AWS service. API Studio handles the entire process automatically — you just provide your credentials, region, and target service.

1
Canonical Request — Normalizes the HTTP method, URI, query string, headers, and body hash into a deterministic string
2
String to Sign — Combines the algorithm identifier, timestamp, credential scope, and hash of the canonical request
3
Signing Key — Derives a key via an HMAC-SHA256 chain: secret key → date → region → service → "aws4_request"
4
Signature — HMAC-SHA256 of the string to sign using the derived signing key, hex-encoded

Configuration

Select AWS Signature V4 from the Auth type dropdown. Four fields are required:

FieldDescriptionExample
accessKeyYour AWS Access Key IDAKIAIOSFODNN7EXAMPLE
secretKeyYour AWS Secret Access KeywJalrXUtnFEMI/K7MDENG/...
regionAWS region of the target serviceus-east-1
serviceAWS service identifierdynamodb

Generated Headers

After signing, these headers are automatically added to your request:

HeaderValue
AuthorizationAWS4-HMAC-SHA256 Credential=.../.../.../aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=...
X-Amz-DateISO 8601 timestamp (e.g. 20240315T120000Z)
X-Amz-Content-Sha256SHA-256 hash of the request body (hex-encoded)
HostTarget service hostname (e.g. dynamodb.us-east-1.amazonaws.com)

You can inspect all generated headers in the Actual Request tab after sending.

Variable Support

All four configuration fields support {{variable}} placeholders. Variables are interpolated before the signing process begins.

Recommended setup:

Access Key:  {{aws_access_key}}
Secret Key:  {{aws_secret_key}}
Region:      {{aws_region}}
Service:     dynamodb

💡 Tip: Store your AWS credentials in the Secret Vault and reference them as {{aws_access_key}} and {{aws_secret_key}}. This keeps secrets encrypted at rest and out of your environment files.

Examples

Example: Calling DynamoDB

POST https://dynamodb.us-east-1.amazonaws.com/

Auth: AWS Signature V4
  Access Key:  {{aws_access_key}}
  Secret Key:  {{aws_secret_key}}
  Region:      us-east-1
  Service:     dynamodb

Headers:
  Content-Type: application/x-amz-json-1.0
  X-Amz-Target: DynamoDB_20120810.ListTables

Body (JSON):
  { "Limit": 10 }

Example: Calling S3

GET https://my-bucket.s3.eu-west-1.amazonaws.com/data/report.json

Auth: AWS Signature V4
  Access Key:  {{aws_access_key}}
  Secret Key:  {{aws_secret_key}}
  Region:      eu-west-1
  Service:     s3

The signing process handles both path-style and virtual-hosted-style S3 URLs automatically.

Security Note

Auth credentials appear in multiple places:

  • Actual Request tab — shows resolved auth headers with real values
  • Code Export — generated code includes resolved auth values
  • History — saved request headers contain injected auth (scrubbed only if from vault)
  • collections.json — auth config saved in plain text (committed to git)

Recommendation: Store sensitive credentials in the Secret Vault and reference them as {{variables}}. Vault secrets are automatically scrubbed from persisted history, and the vault file is AES-256-GCM encrypted — safe to have alongside git-tracked files.

Next

Ko-fi