Signature Generation (Deprecated)

To securely organize your user-uploaded videos, you can declare a static label and or a regular expression dynamic parameter.

API queries are required to be signed in order to ensure account security. We present these steps as an example of generating a signed API request. The query produced in this example is valid and illustrates how to compose and sign a qualified request. A detailed signing example is available.

Account-specific codes for Provider ID (pcode) and Secret (secret) can be found in Backlot ACCOUNT tab under Developers (see Your API Credentials). The pcode is the 28-character alphanumeric string that precedes the period in the API Key. The Secret Code is 40 characters long. Both are case sensitive and include alphanumeric characters, dashes (-), and underscores (_). These codes are required to generate a signature for each request to and from the Ooyala servers.


Partner Code: lsNTrbQBqCQbH-VA6ALCshAHLWrV
Secret Code: hn-Rw2ZH-YwllUYkklL5Zo_7lWJVkrbShZPb5CD1

Note: These parameters point to a shared account accessible via API to any Backlot partner for preliminary testing. Content and metadata uploaded to this account is visible to all users.

The pcode, secret code, all required parameters, and all included optional parameters are used to generate a SHA-256 signature for the call. We present this example on how to generate a signature and URI-encode the parameters for the call.

  1. Begin with the 40 character Secret Code (see Your API Credentials). hn-Rw2ZH-YwllUYkklL5Zo_7lWJVkrbShZPb5CD1
  2. Sort the parameter names alphabetically and append <name>=<value> pairs to the string. The SHA-256 signature is generated with the result, which does not include the pcode.This example uses expires=1893013926, dynamic[any]=^/any/ano, dynamic[some]=^/any/some$, label[0]=/bysmthng/qqq, label[a]=/byuser/u1, and status=pending. hn-Rw2ZH-YwllUYkklL5Zo_7lWJVkrbShZPb5CD1dynamic[any]=^/any/anodynamic[some]=^/any/some$expires=1893013926label[0]=/bysmthng/qqqlabel[a]=/byuser/u1status=pending
  3. Generate an SHA-256 digest in base 64 format on this string, truncate the string to 43 characters and drop any trailing '=' signs. URI encode the signature specifically '+','=', and '/'. This example produces a signature of mNkdZprvtjKtve5EGLop3ZFszwrquOyBcxQrR+x38u8
  4. Include the above generated signature into the string you pass to setParameters() in a URI-encoded manner. In our example, this yields the following:

    var paramStr = 'pcode=lsNTrbQBqCQbH-VA6ALCshAHLWrV&status=pending&expires=1893013926&label[a]=/byuser/u1&

    Special characters, such as ‘+’ and ‘/’ are URI-escaped in this string. We offer two ways in which to easily accomplish URI-escaping of the parameter string:

    // First, using JavaScript Object properties:
    var paramStr =


    // Second, using array of objects with 'name' and 'value'
    // properties:
    var paramStr =
      { name:'pcode', value:'lsNTrbQBqCQbH-VA6ALCshAHLWrV'},
      { name:'status' , value:'pending'},
      { name:'expires', value:'1893013926'},
      { name:'label[a]', value:'/byuser/u1'},
      { name:'label[0]', value:'/bysmthng/qqq'},
      { name:'dynamic[some]', value:'^/any/some$'},
      { name:'dynamic[any]', value:'^/any/ano'},
      { name:'signature', value:'mNkdZprvtjKtve5EGLop3ZFszwrquOyBcxQrR+x38u8'}
  5. To begin an upload, call ooyalaUploader.setParameters(String), with the string comprised of &-separated pairs of <URI-encoded-name>=<URI-encoded-value>. setParameters(paramStr)

The string from our example that would be passed to setParameters() is:


The partner may prefer to generate this signed string on the server, embedding the string on an HTML page while generating it. In this case, use an expiration equal to the user session expiration time or, if you do not maintain user sessions, equal to a limited number of minutes. However, the partner may also prefer to use some advanced techniques, such as using AJAX, JSON, etc. to initiate a request to the server generating the signed string, immediately before invoking ooyalaUploader.upload() and setParameters() with the results of the AJAX/JSON invocation. This advanced technique allows the use of an expiration interval within a few seconds and validates upload parameters before initiating upload request.

Was this article helpful?