This page explains the authentication schema used by the SDK for Android as well as the best practices for your implementation.

API Credentials and Token Signing

In order to use the SDK, you need to have valid API credentials. The credentials consist of a client ID and an API secret, which you can obtain by applying on this page. The client ID is passed using clientId() when initializing a video call screen as follows:

Every time the screen starts a video or voice call, it will fire the requestToSignApiAuthToken event. For the calls to successfully connect, you will need to implement a handler for this event, where you:

  1. Pass the received token value to your server-side signer endpoint
  2. Receive the Base64-encoded HMAC signature for the token from the server side
  3. Pass the signature to the SDK using the Videola.authorize() method.

The token HMAC is computed with SHA-256 as the hash function and with your API secret as the HMAC’s secret key.

Here is how you can compute the HMAC on the server side in a Node.js app (example taken from the server-side part of our Embed API demo). This snippet assumes that the token to sign arrives to the server in the req parameter, i.e. the HTTP request body:

Please refer to Setup and Basic Usage for a complete example of SDK authentication.

Security Considerations

You should keep your API secret secure at all times and never expose it in the client code. We strongly recommend computing the token HMAC on the server side with proper authentication of your app. Please refer to our Android sample app for an example of computing the HMAC on the server side.