Update AMP Content

Use the update-cache request to update and remove content from the Google AMP Cache. Currently, update-cache only ensures that the content is updated within its max-age, which means the maximum amount of time a resource will be considered fresh.

The update-cache request requires the domain owner to sign the requests with an RSA key and to serve the matching public key from a standard URL on the origin domain.

You can flush any currently cached version of a document by issuing a signed request to the AMP Cache. The update-cache request is called at this address:

https://example-com.<cache.updateCacheApiDomainSuffix>/update-cache/c/s/example.com/article?amp_action=flush&amp_ts=<ts_val>&amp_url_signature=<sig_val>

Parameters

The update-cache request requires the following parameters and values:

Parameters
example-com and example.com

Required

The domain name specified according to the formats used in the AMP cache URL format.
<cache.updateCacheApiDomainSuffix>

Required

The domain name of the AMP Cache. See Call the update-cache request for more information.
amp_ts=<ts_val>

Required

This parameter represents a UNIX-epoch timestamp, which is used to prevent replay attacks. The value should be the current time in seconds, which must be within 1 minute before or after the current time.
amp_url_signature=<sig_val>

Required

This parameter represents the RSA signature of the entire request path (see Generate the RSA key), including amp_action and amp_ts, but excluding the signature itself.

Guidelines

You must follow the update-cache guidelines:

  • The AMP Cache hostname (cdn.ampproject.org) is excluded from the signature to allow submitting the same signed request to multiple AMP Cache operators.
  • For signature verification, you must serve the public RSA key at a fixed location on the AMP document's domain (to generate the key, see Generate the RSA key). For example:
    https://example.com/.well-known/amphtml/apikey.pub
  • The public key must not be roboted.
  • The URL must be HTTPS.
  • The domain must be the exact domain that you want to update, not a sub or super domain.
  • You must publish the key in PEM format and serve the key with the content-type "text/plain".
  • The AMP Cache always fetches the public key from the same domain of the request, regardless of the domain specified by the document via any rel=canonical tag. If the origin domain serves an HTTP redirect at the location to be flushed, only the requested path is flushed from cache, and not the target of the redirect.

Update or remove content

You can use update-cache to update or permanently remove content from the Google AMP Cache after the content has been removed from its origin. To update or remove content, follow the steps below:

  1. Fetch the following file:
    https://cdn.ampproject.org/caches.json
  2. Iterate through the entries in the caches entries in the JSON file.
  3. Select the caches that you want to support.
  4. Call the update-cache request using the updateCacheApiDomainSuffix from each cache entry.
  5. Construct the URLs using the following format:
    https://example-com.<cache.updateCacheApiDomainSuffix>/update-cache/c/s/example.com/article?amp_action=flush&amp_ts=<ts_val>&amp_url_signature=<sig_val>

Generate the RSA key

The OpenSSL project provides command-line tools to generate and manage asymmetric RSA keys. You can also generate RSA keys and manage them programmatically through the OpenSSL library, or an equivalent crypto API (node-crypto, NSS, or GnuTLS).

  1. Generate a pair of RSA keys in the textual PEM format like this:
    openssl genrsa 2048 > private-key.pem
    openssl rsa -in private-key.pem -pubout >public-key.pem
  2. Post the public key on the domain to be refreshed at the following location:
    https://example.com/.well-known/amphtml/apikey.pub

    The URL must be HTTPS. The key must be publicly accessible by an anonymous user.

  3. Use the private key to sign the update-cache request. For example:
    echo -n > url.txt "/update-cache/c/s/example.com/article?amp_action=flush&amp_ts=$(date +%s)" && cat url.txt | openssl dgst -sha256 -sign private-key.pem > signature.bin

    The output to signature.bin is a binary RSA signature.

  4. Use the public key to verify the signature:
    openssl dgst -sha256 -signature signature.bin -verify public-key.pem url.txt
  5. Encode the binary RSA signature using the web-safe variant of base64:
    cat signature.bin | base64 -w0 | tr '/+' '_-' | tr -d '=' > base64.txt
  6. Append the base64-encoded RSA signature to the URL using the amp_url_signature query parameter.
    echo "$(cat url.txt)&amp_url_signature=$(cat base64.txt)"

Update the RSA key

If you want to update your RSA key, you can access the RSA key through the AMP Cache link and Google may crawl your new RSA key within several hours. Here is the AMP Cache link:

https://example-com.<cache.updateCacheApiDomainSuffix>/r/s/example.com/.well-known/amphtml/apikey.pub