*** title: Authenticate with AWS Signature authentication workflow in Postman updated: 2026-01-15T00:00:00.000Z topictype: procedure max-toc-depth: 2 ---------------- AWS Signature is the authorization workflow for Amazon Web Services requests. AWS uses a custom HTTP scheme based on a keyed-HMAC (Hash Message Authentication Code) for authentication. The official AWS Signature documentation provides more detail: * [Signing and Authenticating REST Requests](https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html/) * [Invoke REST APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-call-api.html/) To use AWS Signature, do the following: 1. In the **Authorization** tab for a request, select **AWS Signature** from the **Auth Type** dropdown list. 2. Select the location where Postman will append your AWS auth details using the **Add authorization data to** dropdown list. Select **Request Headers** or **Request URL**. * If you select **Request Headers**, Postman adds `Authorization` and `X-Amz-` prefixed fields in the **Headers** tab. * If you select **Request URL**, Postman adds the auth details in **Params** with keys prefixed `X-Amz-`. 3. Enter your **AccessKey** and **SecretKey** values. For extra security, use your [Postman Vault](/docs/sending-requests/postman-vault/postman-vault-secrets/) to store sensitive data as vault secrets. Only you can access and use values associated with your vault secrets, and vault secrets aren't synced to the Postman cloud. If you want to share sensitive data with collaborators, you can store it in an environment as a [variable set as sensitive data](/docs/sending-requests/variables/variables/#set-a-value-as-sensitive-data). 4. You can optionally set advanced fields in the **Advanced configuration** section, but Postman generates these automatically if necessary. The AWS Signature parameters are as follows: * **AWS Region** - The region receiving the request (defaults to `us-east-1`). * **Service Name** - The service receiving the request. * **Session Token** - Required only when using temporary security credentials.