Update AMP Content

Use the update-cache request to update and remove content from the Google AMP Cache. The update-ping request is also available, but will eventually be deprecated.

update-cache request

The update-cache request enables a higher request rate because it has additional security measures. The update-cache request requires the domain owner to sign the requests with an RSA key and to serve the matching public key from a standard URL on the origin domain.

You can flush any currently cached version of a document by issuing a signed request to the AMP Cache. The update-cache request is called at this address:

https://example-com.<cache.updateCacheApiDomainSuffix>/update-cache/c/s/example.com/article?amp_action=flush&amp_ts=<ts_val>&amp_url_signature=<sig_val>

The update-cache request requires the following parameters and values:

  • example-com and example.com: The domain name specified according to the formats used in the AMP cache URL format.
  • <cache.updateCacheApiDomainSuffix>: The domain name of the AMP Cache. See Call the update-cache request for more information.
  • amp_ts=<ts_val>: This parameter represents a UNIX-epoch timestamp, which is used to prevent replay attacks. The value should be the current time in seconds, which must be within 1 minute before or after the current time.
  • amp_url_signature=<sig_val>: This parameter represents the RSA signature of the entire request path (see Generate the RSA key), including amp_action and amp_ts, but excluding the signature itself.

To use the update-cache request, follow the steps below:

  1. Fetch the following file:
    https://cdn.ampproject.org/caches.json
  2. Iterate through the entries in the caches entries in the JSON file.
  3. Select the caches that you want to support.
  4. Call the update-cache request using the updateCacheApiDomainSuffix from each cache entry.
  5. Construct the URLs using the following format:
    https://example-com.<cache.updateCacheApiDomainSuffix>/update-cache/c/s/example.com/article?amp_action=flush&amp_ts=<ts_val>&amp_url_signature=<sig_val>

update-cache guidelines

You must follow the update-cache guidelines:

  • The AMP Cache hostname (cdn.ampproject.org) is excluded from the signature to allow submitting the same signed request to multiple AMP Cache operators.
  • For signature verification, you must serve the public RSA key at a fixed location on the AMP document's domain (to generate the key, see Generate the RSA key). For example:
    https://example.com/.well-known/amphtml/apikey.pub
  • The public key must not be roboted.
  • The URL must be HTTPS.
  • The domain must be the exact domain that you want to update, not a sub or super domain.
  • You must publish the key in PEM format and serve the key with the content-type "text/plain".
  • The AMP Cache always fetches the public key from the same domain of the request, regardless of the domain specified by the document via any rel=canonical tag. If the origin domain serves an HTTP redirect at the location to be flushed, only the requested path is flushed from cache, and not the target of the redirect.

Generate the RSA key

The OpenSSL project provides command-line tools to generate and manage asymmetric RSA keys. You can also generate RSA keys and them programmatically through the OpenSSL library, or an equivalent crypto API (node-crypto, NSS, or GnuTLS).

  1. Generate a pair of RSA keys in the textual PEM format like this:
    openssl genrsa 2048 > private-key.pem
    openssl rsa -in private-key.pem -pubout >public-key.pem
  2. Post the public key on the domain to be refreshed at the following location:
    https://example.com/.well-known/amphtml/apikey.pub

    The URL must be HTTPS. The key must be publicly accessible by an anonymous user.

  3. Use the private key to sign the AMP update-cache request. For example:
    echo -n >url.txt '/update-cache/c/s/example.com/article?amp_action=flush&amp_ts=1484941817' cat url.txt | openssl dgst -sha256 -sign private-key.pem >signature.bin

    The output to signature.bin is a binary RSA signature.

  4. Encode the binary RSA signature using the web-safe variant of base64.
  5. Append the base64-encoded RSA signature to the url using the amp_url_signature query parameter.
  6. Use the public key to verify the signature:
    openssl dgst -sha256 -signature signature.bin -verify public-key.pem url.txt

update-ping request

The update-ping request is a GET request. It has a lower request rate and will eventually be deprecated in favor of the update-cache endpoint. The update-ping format for this AMP Cache URL, https://cdn.ampproject.org/c/s/example.com, is as follows:

https://cdn.ampproject.org/update-ping/c/s/example.com

Remove AMP content

Use update-ping or update-cache to permanently remove content from the Google AMP Cache after the content has been removed from its origin. For example, to purge content formerly served at https://cdn.ampproject.org/i/s/example.com/favicon.ico, send an update-ping request to:

https://cdn.ampproject.org/update-ping/i/s/example.com/favicon.ico.

While cached content that no longer exists will eventually get removed from the cache, using update-ping or update-cache is faster. Using update-ping usually reduces the maximum removal latency to:

End-to-end latency = Z + 4 minutes, where Z = the latency of the publisher (if any).

An update-ping or update-cache request to purge content fetched from the origin with HTTPS doesn't purge content fetched with HTTP. For example, https://cdn.ampproject.org/update-ping/i/s/example.com/favicon.ico will only purge the content served from https://cdn.ampproject.org/i/s/example.com/favicon.ico, not from https://cdn.ampproject.org/i/example.com/favicon.ico (note the lack of /s/ in the latter).