AWS Signature Version 4 Calculator

Generate SigV4 headers, canonical requests, and signatures

Safety note: Signatures are computed locally in your browser. Avoid using real production keys on shared devices.

Request + signature builderBuild canonical requests, strings to sign, and Authorization headers

Step 1

Request Details

Use the example to compare against AWS documentation or test suites.

Before you start

Start with a simple GET request and confirm each field matches the real request.

Required: HTTP method, service, region, host, canonical URI, access key, secret key, and x-amz-date.
Payload hashes must match the exact body you send (or use UNSIGNED-PAYLOAD where supported).
Temporary credentials need the session token header.

AWS SigV4 signing process · AWS SigV4 test suite

HTTP method

Service

Use the AWS service identifier for SigV4 (ex: s3, sts, execute-api).

Region

Host

Host must match the request host header.

Canonical URI

Path only. Leave blank for root.

Query string

Paste the raw query string without the leading "?" if possible.

Payload

Step 2

Credentials & Options

Access key ID

Secret access key

Session token (optional)

x-amz-date

Additional headers (optional)

Provide one header per line. Do not include host or x-amz-date.

Use UNSIGNED-PAYLOAD (common for S3)

Include x-amz-content-sha256 header

Step 3

Outputs

Missing: service, region, host, access key, secret key.

Authorization header

Headers to send

Signature Details

Payload hash

Signed headers

Signature

Expected signature (optional)

Signature = the final HMAC-SHA256 value AWS expects. Use an example from the SigV4 test suite or your server logs.

Signature Breakdown

Show breakdown

Enable to view the canonical request and string to sign.

About the AWS SigV4 Calculator

AWS Signature Version 4 (SigV4) signs API requests so AWS can verify who sent the request and whether the request was modified in transit. This calculator builds the canonical request, string to sign, and Authorization header for debugging, testing, and learning.

Who This Tool Helps

New AWS users: understand which fields are required and what SigV4 produces.
Everyday AWS users: verify why a signature failed when testing APIs or SDK integrations.
Support and QA: recreate signing steps when validating request logs.

How to Use This Tool

Enter the request method, host, path, and query string.
Provide your region, service name, and credentials.
Paste the exact payload for POST/PUT requests.
Review the generated headers and signature.

Example (Simple GET)

Start with a GET request and an empty payload to validate your canonical request. Use the AWS SigV4 test suite to compare the expected signature and confirm each step.

# Example request components
HTTP method: GET
Canonical URI: /
Query string: Action=ListUsers&Version=2010-05-08

Validation Tips

Compare your output with the AWS SigV4 guide.
Use the AWS SigV4 test suite to verify canonical requests and signatures.
Ensure host, x-amz-date, and payload hash match the real request.
For temporary credentials, include the session token header.

Common Pitfalls

Using the wrong service or region in the credential scope.
Signing a payload that differs from the actual request body.
Missing headers in the signed headers list.
Incorrect URL encoding in the canonical query string.

Definitions

Canonical request: The normalized request AWS signs (method, path, query, headers, payload hash).
String to sign: The value HMAC-SHA256 signs to create the final signature.
Signed headers: The header names included in the signature.
Payload hash: SHA-256 hash of the request body or UNSIGNED-PAYLOAD.

FAQ

Does this tool send any AWS requests?

No. It only generates signatures locally.

Why does my signature mismatch?

Double-check the payload hash, canonical URI, and signed headers.

Should I use UNSIGNED-PAYLOAD?

Use it when the AWS service allows it (commonly S3).