Create an "X-Akamai-ACS-Auth-Data" header

This example shows how to generate an example "X-Akamai-ACS-Auth-Data" header, known throughout this documentation as [signature header 1].

  • Using the recommended [version] of 5
  • The epoch time for the request is 1280000000 (the [time] variable)
  • The [unique-id] value is 382644692
  • The [Key-name] is "UploadAccountMedia"
X-Akamai-ACS-Auth-Data: 5,,, 1280000000, 382644692, UploadAccountMedia

Create an "X-Akamai-ACS-Auth-Sign" header

With the values set in the X-Akamai-ACS-Auth-Data header, for the sake of example, assume the following for this example:

  • The [key] (‚Äúshared secret‚ÄĚ) value is abcdefghij
  • The request path from the HTTP request for an upload action is [/123456/files_baseball/sweep.m4a]
  • In addition, various optional upload action header fields are defined, and they too, must be included.

With these variables, the HMAC-SHA256 would then be as follows:

    "5,,, 1280000000, 382644692, UploadAccountMedia" +
    "/123456/files_baseball/sweep.m4a\n" +
    "x-akamai-acs-action:version=1&action=upload" +
    "&md5=0123456789abcdef0123456789abcdef" +


In this particular example, there are exactly two newline and five space characters in the string that is signed using HMAC-SHA256

As a result, the X-Akamai-ACS-Auth-Sign header would look as follows (after all of the above-values were SHA-256 hashed):

X-Akamai-ACS-Auth-Sign: yh1MXm/rv7RKZhfKlTuSUBV69Acph5IyOWCU0/nFjms=

Combine both headers in an example request

With both headers established, an example call incorporating them might look like the example that follows. (This call uses the upload action, along with its required and optional action header fields.)

PUT /123456/files_baseball/sweep.m4a HTTP/1.1
X-Akamai-ACS-Action: version=1&action=upload&md5=0123456789abcdef0123456789abcdef&mtime=1260000000
X-Akamai-ACS-Auth-Data: 5,,, 1280000000, 382644692, UploadAccountMedia ‚Üź [signature header 1]
X-Akamai-ACS-Auth-Sign:yh1MXm/rv7RKZhfKlTuSUBV69Acph5IyOWCU0/nFjms= ‚Üź [signature header 2]

[PUT body]

When the NetStorage server receives a request, it can use the information in the request to verify the following:

  • Ensure that both of the above-specified headers exist. (The ‚Üź [signature header #] content is just for labeling purposes, and is not included.)
  • Ensure that the version given in the X-Akamai-ACS-Auth-Data header is a supported version.
  • Ensure that the [Key] given corresponds to the[Key-name] in the X-Akamai-ACS-Auth-Data header.
  • Ensure that the [time] given in X-Akamai-ACS-Auth-Data header is within +/- 60 seconds of the current time.
  • Ensure that the signature matches both the given X-Akamai-ACS-Auth-Data header, and the [sign-string] in the X-Akamai-ACS-Auth-Sign header
  • The NetStorage Server may check that the given X-Akamai-ACS-Auth-Data header has not been used before.

If any of the above steps fail, the recipient server should reject the request.


Your account team can provide sample code to help implement these steps.