# 403 Forbidden: The request signature we calculated does not match the signature you provided. Check your key and signing method.

- **ID:** `api/invalid-signed-url-expiration`
- **Domain:** api
- **Category:** auth_error
- **Error Code:** `SignatureDoesNotMatch`
- **Verification:** ai_generated
- **Fix Rate:** 82%

## Root Cause

Signed URL expiration or key mismatch due to clock skew or incorrect signing algorithm.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| AWS S3 SDK v1.12.0 | active | — | — |
| Google Cloud Storage XML API v1 | active | — | — |
| Azure Blob Storage REST API 2021-12-02 | active | — | — |

## Workarounds

1. **Synchronize system clocks using NTP (e.g., run 'ntpdate pool.ntp.org' or enable NTP service) and regenerate the signed URL within the expiration window.** (85% success)
   ```
   Synchronize system clocks using NTP (e.g., run 'ntpdate pool.ntp.org' or enable NTP service) and regenerate the signed URL within the expiration window.
   ```
2. **If using AWS S3 signed URLs, verify the signing region and service: ensure 'X-Amz-Algorithm' is 'AWS4-HMAC-SHA256' and the credential scope matches the bucket region. Example: aws s3 presign s3://mybucket/file --expires-in 3600 --region us-east-1** (80% success)
   ```
   If using AWS S3 signed URLs, verify the signing region and service: ensure 'X-Amz-Algorithm' is 'AWS4-HMAC-SHA256' and the credential scope matches the bucket region. Example: aws s3 presign s3://mybucket/file --expires-in 3600 --region us-east-1
   ```
3. **Implement retry logic with clock drift compensation: subtract 30 seconds from current time when generating the signature to account for minor skew.** (75% success)
   ```
   Implement retry logic with clock drift compensation: subtract 30 seconds from current time when generating the signature to account for minor skew.
   ```

## Dead Ends

- **** — Regenerating the same URL with same parameters but ignoring clock skew between servers (e.g., more than 5 minutes drift) will still fail. (65% fail)
- **** — Switching to a different signing algorithm (e.g., from HMAC-SHA256 to HMAC-SHA1) without updating both client and server causes mismatch. (55% fail)
- **** — Copying the signed URL to a different environment (e.g., from staging to production) where the secret key differs will always fail. (75% fail)