UserSig is a security signature designed by Tencent Cloud for the purpose of preventing attackers from misappropriating your Tencent Cloud permissions.
Currently, Tencent Cloud services including TRTC, IM, and MLVB all use this security mechanism. Whenever you want to use these services, you must provide three key pieces of information, i.e.
UserSig in the initialization or login function of the corresponding SDK.
SDKAppID is used to identify your application, and
UserID your user.
UserSig is a security signature calculated based on the two parameters using the HMAC SHA256 encryption algorithm. Attackers cannot use your Tencent Cloud traffic without authorization as long as they cannot forge a
See the figure below for how
UserSig is calculated. Basically, it involves hashing crucial information such as
// `UserSig` calculation formula, in which `secretkey` is the key used to calculate `UserSig`. usersig = hmacsha256(secretkey, (userid + sdkappid + currtime + expire + base64(userid + sdkappid + currtime + expire)))
SDKAppID, click Application Info, and select the Quick Start tab.
UserSigin the Step 2: obtain the secret key to issue UserSig block.
TRTC SDK 6.6 (August 2019) and later versions use the new signature algorithm HMAC-SHA256. If your application was created before August 2019, you need to upgrade the signature algorithm to get a new key. Without upgrading, you can continue to use the old algorithm ECDSA-SHA256. After upgrading, you can switch between the new and old algorithms as needed.
UserSigon the client?
We provide an open-source module called
GenerateTestUserSig in the TRTC SDK sample code. Set the three member variables of
SECRETKEY, and you will be able to call the
genTestUserSig() function to obtain the
UserSig and quickly run the features of the SDK.
|Applicable Platform||File Source Code Link||File Relative Path|
This method is only applicable for debugging. It’s not recommended for official launch because
SECRETKEYof the client code (especially for the web) may be easily decompiled and reversed. If your key is leaked, attackers can steal your Tencent Cloud traffic.
The correct method is to deploy the
UserSigcalculation code on your project server so that your app can request from your server a
UserSigthat is calculated whenever one is needed.
UserSigon the server?
Using the server to calculate
UserSig offers the utmost protection against key leakage, for it is more difficult to hack a server than it is to reverse engineer an application. See below for the specific method.
UserSigfrom your server.
UserSigbased on the
UserID. You can find the calculation source code in the first half of this document.
UserSigto your application.
UserSigto the SDK through a specific API.
SDKAppID + UserID + UserSigto the Tencent Cloud server for verification.
UserSigis valid, real time audio/video services will be provided to the TRTC SDK.
To simplify your implementation process, we provide
UserSig calculation source code in multiple languages.
|Language||Signature Algorithm||Key Function||Download Link|
UserSigwith the old algorithm?
To simplify the signature calculation process and facilitate your use of Tencent Cloud services, on July 19, 2019, TRTC switched from ECDSA-SHA256 to the new signature algorithm HMAC-SHA256. This means that all
SDKAppID created on and after July 19, 2019 will use the new HMAC-SHA256 algorithm.
SDKAppID was created before July 19, 2019, you can continue to use the old signature algorithm, whose source code can be downloaded in the below links.