Authentication

This page explains the authentication schema used by the Videola.io SDK for iOS as well as the best practices for your implementation.

API Credentials and Token Signing

In order to use the Videola.io SDK, you need to have valid API credentials. The credentials consist of a client ID and an API secret, which you can obtain by applying on this page. The client ID is registered in your AppDelegate after application startup as follows:

Every time the screen start a video or voice call, it will fire the requestToSignApiAuthToken event. For the calls to successfully connect, you will need to implement a delegate function for this event, where you:

  1. Pass the received token value to your server-side signer endpoint
  2. Receive the Base64-encoded HMAC signature for the token from the server side
  3. Pass the signature to the SDK using the [VideolaCallManager authorize:] method.

The token HMAC is computed with SHA-256 as the hash function and with your API secret as the HMAC’s secret key.

Here is how you can compute the HMAC on the server side in a Node.js app (example taken from the server-side part of our Embed API demo). This snippet assumes that the token to sign arrives to the server in the req parameter, i.e. the HTTP request body:

Please refer to Setup and Basic Usage for a complete example of SDK authentication.

Security Considerations

You should keep your API secret secure at all times and never expose it in the client code. We strongly recommend computing the token HMAC on the server side with proper authentication of your app. Please refer to our iOS sample project for an example of computing the HMAC on the server side.