Programmable Media

Verifying response signatures

Last updated: Dec-11-2023

Cloudinary adds a signature value in the JSON response to various API methods. You can then compare the returned signature value in the JSON response with the value of a signature generated on your server side.

The signature is a hexadecimal message digest (hash value) created with an SHA (Secure Hash Algorithm) cryptographic function on the following parameters: public_id, version and api_secret.

By default, Cloudinary supports both SHA-1 and SHA-256 digests for validation, and you can use either. The SDK methods use the SHA-1 algorithm by default, but you can use the SHA-256 algorithm instead by setting the signature_algorithm SDK configuration parameter to sha256. If you want to limit your account to allow only the SHA-256 digest for all your validations, submit a request.

Use the Cloudinary SDK's verify_api_response_signature method to verify the signature in the response.

Alternatively, you can use the Cloudinary SDK's api_sign_request method to generate a signature on your back-end for comparison purposes.

For example, the signature for the asset with a public_id of "sample" and a version of "1312461204":

Manually verifying a signature

You can manually generate the comparison signature instead of using the Cloudinary SDK's api_sign_request method.

  1. Create a string with the public_id and version parameters, in that order. Separate the parameter names from their values with an = and join the parameter/value pairs together with an &.
  2. Append your API secret to the end of the string.
  3. Create a hexadecimal message digest (hash value) of the string using an SHA cryptographic function.

For example, if the asset has a public_id of "sample", a version of "1315060510", and your API secret is abcd:

  • Parameters to sign:
    • public_id: sample
    • version: 1315060510
  • Serialized sorted parameters in a single string:
    • public_id=sample&version=1315060510
  • String including the API secret that is used to create the SHA-1 signature:
    • public_id=sample&version=1315060510abcd
  • SHA-1 hexadecimal result:
    • b4ad47fb4e25c7bf5f92a20089f9db59bc302313

An example of the above in Ruby on Rails:

✔️ Feedback sent!

Rate this page: