API Request Signature
To access RC server APIs, you need to sign API requests for identity verification by RC services.
The basic process is as follows:
-
The application server must pre-configure App Key and App Secret in the authentication service to ensure subsequent API calls proceed smoothly.
-
When calling server APIs, specific HTTP header requirements must be followed. The data signature
signaturein HTTP headers needs to be calculated using App Secret, a random number, and a timestamp. -
Upon receiving the request, the RC server will perform the same calculation with the corresponding App Secret and require an exact match.
-
Note that App Secret must not be leaked. Ensure it is not exposed during network transmission and avoid storing App Secret in untrusted environments (such as browsers) to prevent potential security risks.
Obtain App Key / App Secret
Obtaining your app's App Key / App Secret is a prerequisite for using RC server APIs. You can query them on the Console's App Key page.
You need to record the App Key and App Secret shown above for use in this tutorial. When requesting RC server API endpoints, each HTTP request must include the app's App Key and data signature. App Secret is used to calculate the data signature—please ensure it is not disclosed.
HTTP Headers
When calling API endpoints, the application server must include the following HTTP header fields (HTTP Request Header) in each request to provide identity authentication information to the RC server:
| Default Name | With RC- Prefix | Type | Description |
|---|---|---|---|
| App-Key | RC-App-Key | String | Obtain your app's App Key for the environment (development/production) from the Console. |
| Nonce | RC-Nonce | String | A random string, no longer than 18 characters. |
| Timestamp | RC-Timestamp | String | Timestamp in milliseconds since January 1, 1970, 00:00:00 UTC. |
| Signature | RC-Signature | String | Data signature. Generate this field's value using the signature calculation method described below. |
| Room-Id | N/A | String | The RTC or live streaming room ID. Obtain the room ID via the roomId in RC server callbacks for room status synchronization. See Room Status Synchronization. |
| Session-Id | N/A | String | The session ID. Obtain the session ID via the sessionId in RC server callbacks for room status synchronization. See Room Status Synchronization. |
- Room-Id refers to the RTC or live streaming room ID. It is not required when obtaining a Token. Unless explicitly stated otherwise in specific API documentation, this header must be included in other cases.
- Certain PaaS platforms (e.g., SAE) may filter specific HTTP headers. If you encounter issues on such platforms, use the
RC-prefixed HTTP Request Headers. In most cases, the default HTTP headers will suffice.
Signature Calculation Method
The data signature (Signature) field must be included in API requests, and its value must be calculated by the application server. Follow these steps:
-
Log in to the Console and obtain the App Secret corresponding to your app's App Key.
-
Concatenate the following three strings in order (App Secret + Nonce + Timestamp) and compute their SHA1 hash.
- App Secret: The App Secret corresponding to your app's App Key.
- Nonce: Random string
- Timestamp: Timestamp in milliseconds
After verifying the data signature's authenticity, the RC server will execute the requested action. If signature verification fails, the API call will return HTTP status code 401. For other status codes, refer to the Status Code Table.
Below is a PHP code example for calculating the data signature:
// Reset the random number seed.
srand((double)microtime()*1000000);
$appSecret = 'your-own-app-secret'; // Replace with your App Secret obtained from the developer platform.
$nonce = rand(); // Generate a random number.
$timestamp = time()*1000; // Get the timestamp (milliseconds).
$signature = sha1($appSecret.$nonce.$timestamp);
HTTP Request Example
The following HTTP request example demonstrates the HTTP header fields in an API request.
POST /user/getToken.json HTTP/1.1
Host: api.rong-api.com
App-Key: your-own-app-key
Nonce: 14314
Timestamp: 1408710653000
Signature: 30be0bbca9c9b2e27578701e9fda2358a814c88f
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
userId=jlk456j5&name=Ironman&portraitUri=http%3A%2F%2Fabc.com%2Fmyportrait.jpg