Programmable Media

Verifying response signatures

Last updated: Dec-11-2023

Cloudinary adds a signature value in the JSON response to various API methods. You can then compare the returned signature value in the JSON response with the value of a signature generated on your server side.

On this page:

Rate this page:

The signature is a hexadecimal message digest (hash value) created with an SHA (Secure Hash Algorithm) cryptographic function on the following parameters: public_id, version and api_secret.

Note
By default, Cloudinary supports both SHA-1 and SHA-256 digests for validation, and you can use either. The SDK methods use the SHA-1 algorithm by default, but you can use the SHA-256 algorithm instead by setting the signature_algorithm SDK configuration parameter to sha256. If you want to limit your account to allow only the SHA-256 digest for all your validations, submit a request.

Use the Cloudinary SDK's verify_api_response_signature method to verify the signature in the response.

cloudinary 2.x
Not supported by this SDK

Alternatively, you can use the Cloudinary SDK's api_sign_request method to generate a signature on your back-end for comparison purposes.

cloudinary 2.x
cloudinary.utils.api_sign_request(params_to_sign, api_secret)

For example, the signature for the asset with a public_id of "sample" and a version of "1312461204":

cloudinary 2.x
cloudinary.utils.api_sign_request(
  {public_id: "sample", version: "1312461204"}, "my_api_secret")

Manually verifying a signature

You can manually generate the comparison signature instead of using the Cloudinary SDK's api_sign_request method.

  1. Create a string with the public_id and version parameters, in that order. Separate the parameter names from their values with an = and join the parameter/value pairs together with an &.
  2. Append your API secret to the end of the string.
  3. Create a hexadecimal message digest (hash value) of the string using an SHA cryptographic function.

For example, if the asset has a public_id of "sample", a version of "1315060510", and your API secret is abcd:

  • Parameters to sign:
    • public_id: sample
    • version: 1315060510
  • Serialized sorted parameters in a single string:
    • public_id=sample&version=1315060510
  • String including the API secret that is used to create the SHA-1 signature:
    • public_id=sample&version=1315060510abcd
  • SHA-1 hexadecimal result:
    • b4ad47fb4e25c7bf5f92a20089f9db59bc302313

An example of the above in Ruby on Rails:

Ruby
public_id = "sample"
version = "1315060510"
secret = "abcd"

to_sign = 'public_id=' + public_id + '&' + 'version=' + version
signature = Base64.urlsafe_encode64(Digest::SHA1.digest(to_sign + secret))

✔️ Feedback sent!