The live snapshot and live recording services in Alibaba Cloud LIVE allow you to add a specific signature header to HTTP and HTTPS callbacks. Your callback server can use this header to authenticate the signature and prevent unauthorized or invalid requests. This topic describes the parameters, rules, and considerations for HTTP callback authentication.
Applicable features
Authentication parameters
The following table describes the authentication parameters that you can add to HTTP callback request headers.
Field | Description |
ALI-LIVE-TIMESTAMP | The time when the callback request is initiated. The value is a UNIX timestamp in seconds. |
ALI-LIVE-SIGNATURE | The signature string, which is a 32-bit MD5 hash. For more information, see Signature algorithm. |
Signature calculation
The value of the ALI-LIVE-SIGNATURE parameter is generated based on the values of the parameters described in the following table.
Field | Example | Description |
Callback domain name |
| The host in the callback URL. For example, if the callback URL is |
ALI-LIVE-TIMESTAMP | 1519375990 | The time when the callback request is initiated. The value is a UNIX timestamp in seconds. |
NotifyAuthKey | yourkey | The preset signature key. Note Call the UpdateLiveSnapshotNotifyConfig operation to update the NotifyAuthKey. |
Concatenate the parameters
Concatenate the three fields, separated by vertical bars (|), and then calculate the MD5 hash of the concatenated string. For example:
MD5Content = Callback domain name|ALI-LIVE-TIMESTAMP|NotifyAuthKey
ALI-LIVE-SIGNATURE = md5sum(MD5Content)Field calculation
The following example shows how to calculate the value of the ALI-LIVE-SIGNATURE field.
ALI-LIVE-SIGNATURE = md5sum(learn.aliyundoc.com|1519375990|yourkey)Authentication rules
The callback server concatenates the configured callback domain name, the ALI-LIVE-TIMESTAMP value, and the NotifyAuthKey string. It then calculates the MD5 hash of the concatenated string. The server compares this hash with the value of the ALI-LIVE-SIGNATURE field. If the values do not match, the request is invalid.
The callback server retrieves the current time and subtracts the time specified in the ALI-LIVE-TIMESTAMP field of the callback request. If the difference exceeds a specified period, such as 5 minutes, the request is considered invalid. You define this period on your server.
The time difference may be inaccurate due to factors such as incorrect time settings. You can decide whether your server performs this validation.
Considerations
Callback authentication is optional, but we recommend that you enable it. If you set a NotifyAuthKey, callback requests include all authentication-related content. Your callback server can then use this content for authentication. Setting a NotifyAuthKey does not affect existing features. You can decide whether to perform the validation.
Your service is not affected if you do not set a NotifyAuthKey.
An updated NotifyAuthKey takes effect only after you restart stream ingest. For ongoing stream ingest, callbacks still use the old NotifyAuthKey.