Verifying response signatures

Cloudinary adds a signature value in the JSON response to various API methods. You can then compare the returned signature value in the JSON response with the value of a signature generated on your server side.

The signature is a hexadecimal message digest (hash value) created with an SHA (Secure Hash Algorithm) cryptographic function on the following parameters: public_id, version and api_secret.

Use the Cloudinary SDK's verify_api_response_signature method to verify the signature in the response.

Alternatively, you can use the Cloudinary SDK's api_sign_request method to generate a signature on your back-end for comparison purposes.

For example, the signature for the asset with a public_id of "sample" and a version of "1312461204":

Manually verifying a signature

You can manually generate the comparison signature instead of using the Cloudinary SDK's api_sign_request method.

1. Create a string with the public_id and version parameters, in that order. Separate the parameter names from their values with an = and join the parameter/value pairs together with an &.
2. Append your API secret to the end of the string.
3. Create a hexadecimal message digest (hash value) of the string using an SHA cryptographic function.

For example, if the asset has a public_id of "sample", a version of "1315060510", and your API secret is abcd:

• Parameters to sign:
  • public_id: sample
  • version: 1315060510
• Serialized sorted parameters in a single string:
  • public_id=sample&version=1315060510
• String including the API secret that is used to create the SHA-1 signature:
  • public_id=sample&version=1315060510abcd
• SHA-1 hexadecimal result:
  • b4ad47fb4e25c7bf5f92a20089f9db59bc302313

An example of the above in Ruby on Rails: