DocsICP FilingConsole
官方文档
首页

HTTP callback

更新时间:
复制 MD 格式
产品详情
我的收藏

This document describes the mechanism, usage, and authentication for event notifications that use HTTP callbacks.

How it works

  1. Deploy an HTTP service to receive callback messages and configure a callback URL in ApsaraVideo VOD.

  2. When an event occurs, the ApsaraVideo VOD server sends an HTTP POST request to this URL, with the event notification content in the request body.

  3. Your HTTP service authenticates the signature of the incoming HTTP POST request. If authentication is successful, your service must respond with a 200 status code to indicate a successful callback. Any other status code or a response timeout results in a callback failure. For more information about how authentication works, see How callback authentication works.

  4. After a successful callback, your configured callback URL receives the corresponding event notification. If a callback fails, ApsaraVideo VOD retries the request two more times, for a total of three attempts. If all three attempts fail, ApsaraVideo VOD discards the event notification. For details about the callback determination and retry logic, see Callback determination and retries.

How to use HTTP callbacks

Prerequisites

Usage

  • ApsaraVideo VOD is available in multiple service regions. Event notification settings are configured independently for each region. You can configure a separate callback method and callback URL for each service region.

  • You can configure multiple callback URLs to meet development needs across different environments. For more information, see Set up multiple callback URLs.

Procedure

  1. Configure event notifications for HTTP callbacks in ApsaraVideo VOD.

    Note

    Callback settings configured in the ApsaraVideo VOD console apply globally. You can also use the API to configure global callbacks or implement a single-request override.

    Console

    1. Log on to the ApsaraVideo VOD console.

    2. In the left-side navigation pane, choose Configuration Management > Media Processing > Callback.

    3. In the top navigation bar, select a service region from the drop-down list next to Workbench.

    4. Configure the Callback Settings. In the Callback Authentication section, you can enable authentication and set an authentication key.

      1. Next to Callback Settings, click Modify.

      2. Configure the callback parameters.

        Parameter

        Description

        Callback method

        Select HTTP Request.

        Callback URL

        Enter the URL to receive callback messages. When a callback event occurs, the ApsaraVideo VOD server sends an HTTP POST request to this URL.

        The URL can be up to 256 bytes in length. You can specify only one URL.

        Events

        Select the event types for which you want to receive notifications. For more information about the supported event types and their meanings, see Event list.

        Note

        If you select AI Processing Completed, notifications are sent for all AI events, including AIMediaAuditComplete, AIMediaDNAComplete, and AIVideoTagComplete, when any of them completes.

      3. Click OK to save the callback settings.

    5. Optional: Configure Callback Authentication.

      When the callback method is HTTP Request, you can add authentication parameters to the HTTP or HTTPS header. This allows your callback receiver to verify the signature of the request and prevent unauthorized or invalid requests.

      1. Turn on the callback authentication switch, or click Modify next to Callback Authentication.

      2. Set the authentication key.

        This key corresponds to the AuthKey field in the signature algorithm. For more information, see signature algorithm. The key is user-defined, can be up to 32 characters long, and must contain uppercase letters, lowercase letters, and digits.

      3. Click OK to save the configuration.

      4. After enabling callback authentication, you must implement the corresponding authentication logic on your HTTP or HTTPS service that receives the callbacks. For more information, see How callback authentication works.

    API

    You can call different API operations to configure global callbacks or use a single-request override.

    Note

    To use the MessageCallback parameter in the UserData field for a single-request override, you must first enable global event notifications in ApsaraVideo VOD and configure the corresponding event types. Otherwise, the override settings will not take effect.

  2. Trigger a callback event.

    After configuring event notifications, perform an action in ApsaraVideo VOD to trigger an event. For example, you can upload media files (audio, video, or images) or initiate media processing jobs such as transcoding or snapshot creation.

  3. Receive the callback event.

    After a callback event occurs, you can view the event notification in your callback receiver if the callback succeeds.

How callback authentication works

When the callback method is HTTP Request, you can add authentication parameters to the HTTP or HTTPS header. This allows your callback receiver to verify the signature of the request and prevent unauthorized or invalid requests.

Usage

  • You can choose whether to enable HTTP callback authentication (recommended). If you set an AuthKey (authentication key), all callback requests will include the necessary authentication headers that your callback receiver can use for verification. Setting an AuthKey does not affect existing functionality; you decide whether to enforce validation on your receiver.

  • If you do not set an AuthKey, the HTTP callback feature still works as usual.

Authentication parameters

The following authentication parameters are added to the HTTP callback header:

Field

Description

X-VOD-TIMESTAMP

The UNIX timestamp, which is a 10-digit positive integer representing the number of seconds since January 1, 1970. This indicates the time when the callback request was initiated.

X-VOD-SIGNATURE

The signature string, which is a 32-character MD5 hash. For more information, see the signature algorithm below.

Signature algorithm

The value of X-VOD-SIGNATURE is calculated based on the following fields:

Field

Example

Description

callback URL

https://www.example.com/your/callback

The callback URL that you configured.

X-VOD-TIMESTAMP

1519375990

The UNIX timestamp when the callback request was initiated. The value is a 10-digit positive integer.

AuthKey

Test123

The pre-configured authentication key. It can be up to 32 characters long and must contain uppercase letters, lowercase letters, and digits.

Concatenate the three fields, separated by vertical bars (|), and then compute the MD5 hash:

MD5Content = callback URL|X-VOD-TIMESTAMP|AuthKey
X-VOD-SIGNATURE = md5sum(MD5Content)

The following example shows how to calculate the X-VOD-SIGNATURE field:

X-VOD-SIGNATURE = md5sum(https://www.example.com/your/callback|1519375990|Test123) = c72b60894140fa98920f1279219b****

Receiver validation rules

  • Your callback receiver reconstructs the string by concatenating your configured callback URL, the received X-VOD-TIMESTAMP value, and your stored AuthKey. It then computes the MD5 hash of this string and compares it with the value of the X-VOD-SIGNATURE header. If the values do not match, the request is invalid.

  • To prevent replay attacks, your callback receiver can compare its current time with the time in the X-VOD-TIMESTAMP header. If the difference exceeds a specified threshold (for example, 5 minutes), you can consider the request invalid.

    Note

    Due to potential clock skew between servers, this time-based check can be unreliable. You can decide whether to implement this check.

Key rotation

When you rotate your AuthKey, your callback receiver must temporarily support both the old and new keys to ensure a seamless transition and prevent callback failures. Your receiver must handle this dual-key validation logic.

We recommend the following procedure for key rotation:

  1. Define a new AuthKey.

  2. Update your callback receiver to accept and validate signatures created with both the new and old AuthKey.

  3. In the ApsaraVideo VOD console, update the AuthKey to the new key.

  4. After a monitoring period to ensure callbacks are working correctly, remove support for the old AuthKey from your callback receiver.

  5. The key rotation is complete.

Related documents

Previous:Event notificationNext:Simple Message Queue (formerly MNS) callbacks