Use the update-cache request to update and remove content from the Google AMP Cache.
Currently, update-cache only ensures that the content is updated within its
max-age, which means the maximum amount of time a resource will be considered fresh.
The update-cache request requires the domain owner to
sign the requests with an RSA key and to serve the matching public key from a standard URL on the origin domain.
You can flush any currently cached version of a document by issuing a signed
request to the AMP Cache. The update-cache request is called at this address:
https://example-com.<cache.updateCacheApiDomainSuffix>/update-cache/c/s/example.com/article?amp_action=flush&_ts=<ts_val>&_url_signature=<sig_val>
Parameters
The update-cache request requires the following parameters and values:
| Parameters | |
|---|---|
example-com and example.com
|
Required The domain name specified according to the formats used in the AMP cache URL format. |
<cache.updateCacheApiDomainSuffix>
|
Required The domain name of the AMP Cache. See Call theupdate-cache request for more information.
|
amp_ts=<ts_val>
|
Required This parameter represents a UNIX-epoch timestamp, which is used to prevent replay attacks. The value should be the current time in seconds, which must be within 1 minute before or after the current time. |
amp_url_signature=<sig_val>
|
Required This parameter represents the RSA signature of the entire request path (see Generate the RSA key), includingamp_action and amp_ts, but excluding the signature
itself.
|
Guidelines
You must follow the update-cache guidelines:
- The AMP Cache hostname (cdn.ampproject.org) is excluded from the signature to allow submitting the same signed request to multiple AMP Cache operators.
- For signature verification, you must serve the public RSA key at a fixed
location on the AMP document's domain (to generate the key, see
Generate the RSA key). For example:
https://example.com/.well-known/amphtml/apikey.pub
- The public key must not be roboted.
- The URL must be HTTPS.
- The domain must be the exact domain that you want to update, not a sub or super domain.
- You must publish the key in PEM format and serve the key with the content-type "text/plain".
- The AMP Cache always fetches the public key from the same domain of the request, regardless of the domain specified by the document via any rel=canonical tag. If the origin domain serves an HTTP redirect at the location to be flushed, only the requested path is flushed from cache, and not the target of the redirect.
Update or remove content
You can use update-cache to update or permanently remove content from the Google AMP Cache
after the content has been removed from its origin. To update or remove content, follow the steps below:
- Fetch the following file:
https://cdn.ampproject.org/caches.json
- Iterate through the entries in the
cachesentries in the JSON file. - Select the
cachesthat you want to support. - Call the
update-cacherequest using theupdateCacheApiDomainSuffixfrom eachcacheentry. - Construct the URLs using the following format:
https://example-com.<cache.updateCacheApiDomainSuffix>/update-cache/c/s/example.com/article?amp_action=flush&_ts=<ts_val>&_url_signature=<sig_val>
Generate the RSA key
The OpenSSL project provides command-line tools to generate and manage asymmetric RSA keys. You can also generate RSA keys and manage them programmatically through the OpenSSL library, or an equivalent crypto API (node-crypto, NSS, or GnuTLS).
- Generate a pair of RSA keys in the textual PEM format like
this:
openssl genrsa 2048 > private-key.pem openssl rsa -in private-key.pem -pubout >public-key.pem
- Post the public key on the domain to be refreshed at the following location:
https://example.com/.well-known/amphtml/apikey.pub
The URL must be HTTPS. The key must be publicly accessible by an anonymous user.
- Use the private key to sign the
update-cacherequest. For example:echo -n > url.txt "/update-cache/c/s/example.com/article?amp_action=flush&_ts=$(date +%s)" && cat url.txt | openssl dgst -sha256 -sign private-key.pem > signature.bin
The output to signature.bin is a binary RSA signature.
- Use the public key to verify the signature:
openssl dgst -sha256 -signature signature.bin -verify public-key.pem url.txt
- Encode the binary RSA signature using the web-safe variant of
base64:
cat signature.bin | base64 -w0 | tr '/+' '_-' | tr -d '=' > base64.txt
- Append the base64-encoded RSA signature to the URL using the
amp_url_signaturequery parameter.echo "$(cat url.txt)&_url_signature=$(cat base64.txt)"
Update the RSA key
If you want to update your RSA key, you can access the RSA key through the AMP Cache link and Google may crawl your new RSA key within several hours. Here is the AMP Cache link:
https://example-com.<cache.updateCacheApiDomainSuffix>/r/s/example.com/.well-known/amphtml/apikey.pub