Last updated: Dec-11-2024
Cloudinary adds a signature value in the JSON response to various API methods. You can then compare the returned signature value in the JSON response with the value of a signature generated on your server side.
The signature is a hexadecimal message digest (hash value) created with an SHA (Secure Hash Algorithm) cryptographic function on the following parameters: public_id
, version
and api_secret
.
signature_algorithm
SDK configuration parameter to sha256
. If you want to limit your account to allow only the SHA-256 digest for all your validations, submit a request.Use the Cloudinary SDK's verify_api_response_signature
method to verify the signature in the response.
Alternatively, you can use the Cloudinary SDK's api_sign_request
method to generate a signature on your back-end for comparison purposes.
For example, the signature for the asset with a public_id of "sample" and a version of "1312461204":
Manually verifying a signature
You can manually generate the comparison signature instead of using the Cloudinary SDK's api_sign_request
method.
- Create a string with the
public_id
andversion
parameters, in that order. Separate the parameter names from their values with an=
and join the parameter/value pairs together with an&
. - Append your API secret to the end of the string.
- Create a hexadecimal message digest (hash value) of the string using an SHA cryptographic function.
For example, if the asset has a public_id of "sample", a version of "1315060510", and your API secret is abcd
:
- Parameters to sign:
- public_id:
sample
- version:
1315060510
- public_id:
- Serialized sorted parameters in a single string:
public_id=sample&version=1315060510
- String including the API secret that is used to create the SHA-1 signature:
public_id=sample&version=1315060510abcd
- SHA-1 hexadecimal result:
b4ad47fb4e25c7bf5f92a20089f9db59bc302313
An example of the above in Ruby on Rails: