Server APIs v2
  • Server APIs overview
  • Accessing Server APIs
  • Room signaling
  • Stream mixing
  • Streaming moderation
  • Streaming control
  • CDN recording
  • Server callbacks
  • Return codes
  • API testing
  • FAQ
  • Documentation
  • Server APIs v2
  • Server callbacks
  • Authenticating server-to-server callbacks

Authenticating server-to-server callbacks

Last updated:2022-03-31 18:10

To ensure system security, you must authenticate every callback request sent from the ZEGO server to your application server. You can verify the callback request by comparing the signature included in the request with the locally calculated signature.

Verifying the callback request signature

The following flow chart shows the signature calculation and verification process:

Parameter Description
callbacksecret The secret key for verifying the callback request sent from the ZEGOCLOUD server to your application server.
This callback secret key is automatically generated for your project when you create your project in the ZEGOCLOUD Admin Console.
To view the callback secret of your project:
1. Log in to the ZEGOCLOUD Admin Console.
2. Click Edit for your project.
3. In the Basic Configurations section, view the ServerSecret.
timestamp A Unix timestamp.
nonce A random number.

Sample code

Refer to the following sample code for how to generate and verify the callback request signature.

  • Sample code in PHP
// Obtain the value of signature, timestamp, and nonce from the request parameters.
$signature = $_POST["signature"];
$timestamp = $_POST["timestamp"];
$nonce = $_POST["nonce"];

$secret = callbacksecret;// Use the CallbackSecret obtained from the ZEGO Admin Console.
$tmpArr = array($secret, $timestamp, $nonce);
sort($tmpArr, SORT_STRING);
$tmpStr = implode( $tmpArr );
$tmpStr = sha1( $tmpStr );

if( $tmpStr == $signature ){
    return true;
} else {
    return false;
}
  • Sample code in Java
//  Obtain the value of signature, timestamp, and nonce from the request parameters.
String signature = request.getParameter("signature");
long timestamp = request.getParameter("timestamp");
String nonce = request.getParameter("nonce");

// Use the CallbackSecret obtained from the ZEGO Admin Console.
String secret = callbacksecret;

String[] tempArr = {secret, ""+timestamp, nonce};
Arrays.sort(tempArr);

String tmpStr = "";
for (int i = 0; i < tempArr.length; i++) {
    tmpStr += tempArr[i];
}
tmpStr = org.apache.commons.codec.digest.DigestUtils.sha1Hex(tmpStr);

return tmpStr.equals(signature);

Sample output

$timestamp = 1470820198;
$nonce = 123412;
$secret = 'secret';

The concatenated string before encryption:1234121470820198secret
The string generated after encryption:5bd59fd62953a8059fb7eaba95720f66d19e4517
Page Directory