Standard

AWS Signature Version 4 (SigV4)

The AWS cryptographic request signing protocol used to authenticate and authorize S3 API requests. Every S3 request is signed with HMAC-SHA256 using the caller's credentials.

2 connections 3 resources

Summary

What it is

The AWS cryptographic request signing protocol used to authenticate and authorize S3 API requests. Every S3 request is signed with HMAC-SHA256 using the caller's credentials.

Where it fits

SigV4 is the authentication layer of the S3 ecosystem. Every S3-compatible storage system that claims S3 API compatibility must implement SigV4 verification. Every S3 client library must implement SigV4 signing. It is the security handshake that makes the ecosystem work.

Misconceptions / Traps
  • SigV4 signing is region-scoped. Requests must be signed for the correct region, or they are rejected. This catches developers who hardcode regions or use global endpoints incorrectly.
  • Clock skew between client and server causes SigV4 failures. S3 requests are rejected if the timestamp is more than 15 minutes from the server's clock.
Key Connections
  • scoped_to S3 API — the authentication protocol for all S3 requests
  • enables S3 API interoperability — every S3-compatible system must implement SigV4
  • constrained_by S3 Compatibility Drift — some implementations handle SigV4 edge cases differently

Definition

What it is

AWS's cryptographic request signing protocol that authenticates and authorizes every S3 API request using HMAC-SHA256 signatures derived from the request components and the caller's secret key.

Why it exists

SigV4 is the authentication layer of the S3 API. Every S3-compatible implementation must support SigV4 for client compatibility. It provides request integrity, replay protection, and credential-based access control.

Primary use cases

S3 API authentication, presigned URL generation, cross-account access delegation, S3-compatible server implementation.

Recent developments

Latest signals
  • GitHub. AWS APIs require SigV4 signing and use configurable proxy/backend endpoint. Updated February 21, 2026. Per GitHub (aws/aws-kms-xksproxy-api-spec).
  • aws-kms-xksproxy-api-spec/xks_proxy_api_spec.md. Last Updated: Mar 9, 2026. Authentication section: SigV4 Credentials Rotation. KMS signs all XKS Proxy API requests using AWS SigV4. After June 15, 2026, mTLS no longer viable; customers MUST rely on SigV4 authentication. Per GitHub (aws/aws-kms-xksproxy-api-spec).
  • gbrain-agent-brain/TODOS.md. Completed: v0.6.0 (2026-04-10) — replaced with @aws-sdk/client-s3 for proper SigV4 signing. Per GitHub (syntax-syndicate/gbrain-agent-brain) (2026-04-24).

Connections 2

Outbound 2
scoped_to1
S3
enables1
S3 API

Resources 3

SpecHigh
docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-aut...

Definitive reference for the SigV4 signing process used in S3 Authorization headers, the de facto authentication standard for S3-compatible APIs.

DocsHigh
docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html

AWS IAM reference for Signature Version 4 covering the signing algorithm, credential scope, and canonical request construction.

SpecHigh
docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticatin...

S3-specific SigV4 authentication documentation covering query string signing, chunked uploads, and presigned URLs.