ARTICLE AD BOX
I'm integrating the AliExpress Dropshipping API into a NestJS application and consistently getting an IncompleteSignature error when trying to exchange an authorization code for an access token.
Environment
Platform: AliExpress Open Platform (new portal, not legacy Taobao)
Backend: Node.js 22.15.0, NestJS, TypeScript
App Key: XXXXXX
Callback URL: https://organic-ecom-app-api.vercel.app/api/aliexpress/callback
Endpoint Type: System Interface (/auth/token/create)
Error Response
{ "type": "ISV", "code": "IncompleteSignature", "message": "The request signature does not conform to platform standards", "request_id": "212a782117695399357757883" }What I've Tried
Based on extensive research and official documentation, I've implemented the following:
1. Correct Endpoint Format
According to the AliExpress documentation, System Interfaces should use:
https://api-sg.aliexpress.com/sync?method={api_path}&{params}Current implementation:
const fullUrl = `https://api-sg.aliexpress.com/sync?method=/auth/token/create&${queryString}`;2. Signature Generation (HMAC-SHA256)
Following the official algorithm:
signString = apiPath + key1value1 + key2value2 + ... (sorted alphabetically) signature = HMAC-SHA256(signString, appSecret).toUpperCase()Implementation:
private generateSystemInterfaceSignature( params: Record<string, any>, apiPath: string ): string { const sortedKeys = Object.keys(params).sort(); let signString = apiPath; // Start with API path sortedKeys.forEach(key => { if (params[key] !== undefined && params[key] !== null) { signString += key + params[key]; } }); const signature = crypto .createHmac('sha256', this.appSecret) .update(signString, 'utf8') .digest('hex') .toUpperCase(); return signature; }3. Request Parameters
const params = { app_key: 'XXXXX', timestamp: '1769539935053', // Date.now().toString() sign_method: 'sha256', format: 'json', code: '3_525634_FN2e6vcwQsUKRiy35fDmthpo2137' // Fresh OAuth code };4. Complete Request Flow
async getAccessToken(code: string) { const timestamp = Date.now().toString(); const signPath = '/auth/token/create'; const params = { app_key: this.appKey, timestamp, sign_method: 'sha256', format: 'json', code, }; // Generate signature const sign = this.generateSystemInterfaceSignature(params, signPath); const requestParams = { ...params, sign }; // Build sorted query string const queryString = Object.keys(requestParams) .sort() .map(key => `${key}=${requestParams[key]}`) .join('&'); // System Interface endpoint const fullUrl = `https://api-sg.aliexpress.com/sync?method=${signPath}&${queryString}`; // GET request const response = await axios.get(fullUrl); return response.data; }Debug Output
🔐 Signature Generation (System Interface): API Path: /auth/token/create Sorted Keys: [ 'app_key', 'code', 'format', 'sign_method', 'timestamp' ] Initial signString (apiPath): /auth/token/create Added: app_keyXXXXXX Added: code3_XXXXXX_FN2e6vcwQsUKRiy35fDmthpo2137 Added: formatjson Added: sign_methodsha256 Added: timestamp1769539935053 Final signString: /auth/token/createapp_keyAPP_SECRETcodeCODEformatjsonsign_methodsha256timestamp1769539935053 HMAC-SHA256 Signature: 202733C450AF8C35389F422D5529D71FAA9C0B4CBD286082AF68BE83670DAB64 Request URL: https://api-sg.aliexpress.com/sync?method=/auth/token/create&app_key=appsecret&code=FRESHCODE&format=json&sign=SIGN&sign_method=sha256×tamp=1769539935053Alternative Approaches Tested
❌ MD5 Instead of SHA256
// Tried MD5 with sandwich format const signString = appSecret + params + appSecret; const signature = crypto.createHash('md5').update(signString).digest('hex').toUpperCase();Result: Same error
❌ /rest Endpoint
const fullUrl = `https://api-sg.aliexpress.com/rest/auth/token/create?${queryString}`;Result: Same error
❌ POST Instead of GET
Result: Same error
❌ Including appSecret in Sign String (Sandwich Format)
let signString = this.appSecret + apiPath + params + this.appSecret;Result: Same error
Questions
Is the signature algorithm correct for System Interfaces? Should it be apiPath + params or something else?
Is /sync?method= the correct endpoint format for /auth/token/create? Some documentation suggests /rest for newer APIs.
Should the authorization code be URL-encoded in the signature string or query parameters?
Are there any missing required parameters for the token exchange endpoint?
Has anyone successfully implemented AliExpress OAuth in Node.js/TypeScript without using the PHP/Java SDKs?
Additional Context
Authorization codes are fresh (generated within seconds of the request)
App credentials are verified and active in the AliExpress Developer Portal
IP whitelisting is configured correctly
The app has the necessary permissions enabled
References
AliExpress Open Platform Documentation
System vs Business Interfaces Guide
Any help would be greatly appreciated! I've been stuck on this for days and have exhausted all documented approaches.
Update Log
Attempted Solutions:
✅ Verified endpoint format (System Interface uses /sync?method=)
✅ Implemented HMAC-SHA256 signature with correct parameter sorting
✅ Tested both GET and POST methods
✅ Tried MD5 and SHA256 algorithms
✅ Tested with and without URL encoding
✅ Verified timestamp format (milliseconds)
✅ Ensured fresh authorization codes
❌ Still receiving IncompleteSignature error
Current Status: Blocked on token exchange, unable to proceed with API integration.
