UserSigis a security signature designed by Tencent Cloud to prevent attackers from accessing your Tencent Cloud account. Currently, Tencent Cloud services including TRTC, IM, and MLVB all use this security mechanism. To use these services, you must pass in three parameters –
UserSig– to the initialization or login API of the corresponding SDK.
SDKAppIDidentifies an application, and
UserIDidentifies a user.
UserSigis a security signature calculated based on
UserIDusing the HMAC SHA256 encryption algorithm. Attackers cannot use your Tencent Cloud traffic as long as they don’t have
UserSig. See the figure below for how
UserSigis calculated. Basically, it involves hashing crucial information such as
// UserSig formula, in which `secretkey` is the key used to calculate UserSigusersig = hmacsha256(secretkey, (userid + sdkappid + currtime + expire +base64(userid + sdkappid + currtime + expire)))
currtimeis the current system time and
expirethe expiration time of the signature.
UserSigduring debugging or demo run?
UserSigeither using our client-side sample code or in the console:
SECRETKEYin the client code (especially on the web) may be easily decompiled and reversed. If your key is leaked, attackers can steal your Tencent Cloud traffic.
UserSigcalculation code on your project server so that your application can request from your server a
UserSigthat is calculated whenever one is needed.
UserSigusing client-side sample code
SDKAppIDand key: 1. Log in to the TRTC console and click Application Management. 2. Find your application and click Configuration. 3. In Basic information, SDKSecretKey is the key used to calculate
UserSig. 4. Copy the key.
UserSig: We offer source code for calculating
UserSigon different platforms.
GenerateTestUserSigin the TRTC SDK sample code. Set the three member variables of
SECRETKEY, and you will be able to call
genTestUserSig()to obtain the
UserSigand get started quickly.
UserSigin the console
SDKAppID) from the drop-down list. A secret key will be generated automatically.
UserSigin a production environment?
UserSigcalculation offers stronger protection against key leakage because it is more difficult to hack a server than it is to reverse engineer an application. See below for detailed directions:
UserSigfrom your server.
UserSigbased on the
UserID. The calculation source code is provided above.
UserSigto your application.
UserSigto the SDK through a specific API.
SDKAppID + UserID + UserSigto the Tencent Cloud server for verification.
UserSigis valid, services will be provided to the TRTC SDK.
UserSigcalculation source code (new algorithm) in multiple languages.
UserSigcalculation source code using the legacy algorithm
SDKAppID) created on and after July 19, 2019 will use the new HMAC-SHA256 algorithm.
SDKAppID) was created before July 19, 2019, you can continue to use the old signature algorithm, whose source code can be downloaded below.