update-ping request to update and remove content from the Google AMP Cache.
update-cache request enables a higher request rate because it has additional security
update-cache request requires the domain owner to
sign the requests with an RSA key and to serve the matching public key from a standard URL on the origin domain.
You can flush any currently cached version of a document by issuing a signed request to the AMP Cache. The update-cache request is called at this address:
update-cache request requires the following parameters and values:
example.com: The domain name specified according to the formats used in the AMP cache URL format.
<cache.updateCacheApiDomainSuffix>: The domain name of the AMP Cache. See Call the update-cache request for more information.
amp_ts=<ts_val>: This parameter represents a UNIX-epoch timestamp, which is used to prevent replay attacks. The value should be the current time in seconds, which must be within 1 minute before or after the current time.
amp_url_signature=<sig_val>: This parameter represents the RSA signature of the entire request path (see Generate the RSA key), including
amp_ts, but excluding the signature itself.
To use the update-cache request, follow the steps below:
- Fetch the following file:
- Iterate through the entries in the
cachesentries in the JSON file.
- Select the
cachesthat you want to support.
- Call the update-cache request using the
- Construct the URLs using the following format:
You must follow the update-cache guidelines:
- The AMP Cache hostname (cdn.ampproject.org) is excluded from the signature to allow submitting the same signed request to multiple AMP Cache operators.
- For signature verification, you must serve the public RSA key at a fixed
location on the AMP document's domain (to generate the key, see
Generate the RSA key). For example:
- The public key must not be roboted.
- The URL must be HTTPS.
- The domain must be the exact domain that you want to update, not a sub or super domain.
- You must publish the key in PEM format and serve the key with the content-type "text/plain".
- The AMP Cache always fetches the public key from the same domain of the request, regardless of the domain specified by the document via any rel=canonical tag. If the origin domain serves an HTTP redirect at the location to be flushed, only the requested path is flushed from cache, and not the target of the redirect.
Generate the RSA key
The OpenSSL project provides command-line tools to generate and manage asymmetric RSA keys. You can also generate RSA keys and them programmatically through the OpenSSL library, or an equivalent crypto API (node-crypto, NSS, or GnuTLS).
- Generate a pair of RSA keys in the textual PEM format like
openssl genrsa 2048 > private-key.pem openssl rsa -in private-key.pem -pubout >public-key.pem
- Post the public key on the domain to be refreshed at the following location:
The URL must be HTTPS. The key must be publicly accessible by an anonymous user.
- Use the private key to sign the AMP update-cache request. For
echo -n >url.txt '/update-cache/c/s/example.com/article?amp_action=flush&_ts=1484941817' cat url.txt | openssl dgst -sha256 -sign private-key.pem >signature.bin
The output to signature.bin is a binary RSA signature.
- Encode the binary RSA signature using the web-safe variant of base64.
- Append the base64-encoded RSA signature to the url using the
- Use the public key to verify the signature:
openssl dgst -sha256 -signature signature.bin -verify public-key.pem url.txt
update-ping request is a
GET request. The
format for this AMP Cache URL,
is as follows:
Remove AMP content
to permanently remove content from the Google AMP Cache
after the content has been removed from its origin.
to purge content formerly served at
update-ping request to:
While cached content that no longer exists will eventually get removed from the cache, using
update-cache is faster.
update-ping usually reduces the maximum removal latency to:
End-to-end latency = Z + 4 minutes, where Z = the latency of the publisher (if any).
update-cache request to purge content fetched
from the origin with HTTPS doesn't purge content fetched with HTTP.
will only purge the content served from
(note the lack of
/s/ in the latter).