API Dashboard
Vonage.com
Pricing
Support
Documentation
Blog
Code Hub
View All docs
Video API
Overview
Release Notes
Discover & Test
Technical Details
Video Products Comparison
Pricing
Getting Started
Use Cases
Overview
One-on-One Video with the Vonage Video API
Multiparty Video with Archiving with the Vonage Video API
Bridging Phone Calls into Video Meetings
Live Broadcasting with the Vonage Video API
Related Blog Posts
Build Your Solution
Client SDKs
Overview
Android
Overview
Release Notes
SDK Reference
iOS
Overview
Release Notes
SDK Reference
Linux
Overview
Release Notes
SDK Reference
macOS
Overview
Release Notes
SDK Reference
React Native
Overview
Release Notes
SDK Reference
Web
Overview
Release Notes
SDK Reference
Windows
Overview
Release Notes
SDK Reference
Server SDKs
Overview
.NET
Java
NodeJS
PHP
Python
Ruby
Migration Guides
Twilio Migration Guides
Overview
Android
iOS
Web
OpenTok Server SDK Transition Guides
Ruby Server SDK
Java Server SDK
.NET Server SDK
PHP Server SDK
Python Server SDK
Node Server SDK
Guides
Overview
Create a Token
Create a Session
Joining a Session
Getting Started
Initializing a Session Object
Connecting to a session
Disconnect from a Session
Detecting when you have disconnected
Automatic reconnection
Detecting when clients have connected and disconnected
Troubleshooting session connection issues (Javascript)
Troubleshooting session connection issues (React Native)
Audio fallback
Moderation
Publishing Streams
Overview
Initializing a publisher object
Publishing a stream
Extra configuration
Detect granted access to camera and microphone (Web)
Setting the camera and microphone (Web)
Remember camera and microphone selection (Web)
Stream settings (Web)
Managing publishers (Web)
Publishing video and audio from alternate sources (Web)
Video Settings (Web)
Best Practices (Web)
Troubleshooting (Web)
Stop a publisher from streaming
Getting statistics about a publisher's stream
Access & Checks
Testing a publisher's stream
Screen Sharing
General concepts
Screen sharing using the Web SDK
Android code example
iOS code example
Subscribe to Streams
Overview
Detect when streams are created in a session
Subscribe to a stream
Automatic reconnection
Detecting when streams end and a subscriber's video is disabled
Getting information about a stream
Unsubscribe from a stream (Javascript only)
Managing subscriber streams (Javascript Only)
Managing subscriber streams (React Native)
Troubleshooting (Javascript Only)
UI Customization
General customization
Swift
Web Only
Directly accessing the video element for a Publisher or Subscriber
Displaying a custom UI element when Subscriber audio is blocked
Adjusting video cropping and letterboxing
Hiding all built-in user interface controls for videos
Displaying or hiding the name in a video
Setting an image to display in audio-only mode
Setting the initial position and dimensions of a video
Accessing MediaStream objects
Accessing MediaStream objects for Subscribers
Resizing or repositioning a video
Getting a snapshot image of a video
Management & Signaling
Signaling
Session Monitoring
Server Rotation
Video Session Customization
Adjusting Audio & Video
Voice Only
Publisher Audio Fallback
Archiving
Overview
Customizing the video layout for composed archives
Layouts for composed archives and live streaming broadcasts
Amazon S3 server-side encryption
Archive Encryption
Archiving using a Windows Azure container
Archiving using AWS S3
Broadcast
Overview
Live Interactive Video Broadcasts
Live streaming broadcasts
Layouts for composed archives and live streaming broadcasts
Experience Composer
Experience Composer
SIP Interconnect
SIP Interconnect
AI Connectors
Audio Connector
Live Captions
Media Processor
Overview
Android
iOS
iOS (Swift)
macOS
React Native
Web
Windows
Additional Resources
Video Insight
Video Codecs
Scalable Video
VP9 Scalable Video Coding
Mobile Guidelines
1080p Video
Security
Securing Your App
Advanced Media Stream Encryption (AES-256)
End-to-End Encryption
Secure Callbacks
Networking & Environment
Enterprise Environment
IP Allowed List
Restricted Network Guidelines
Configurable TURN Servers
Regional Media Zones
IP Proxy Routing
EU Proxy Routing
Tools & Debugging
Insights API
Exception Handling - JavaScript SDK
Debugging
Tutorials
Archiving
Adjusting audio and video
Creating a video chat app
Create session
Token creation
Custom Video Capturing (Mobile Only)
Custom video rendering (Mobile Only)
Custom Audio Driver (Mobile Only)
Debugging
Mobile guidelines
Moderation
Signaling
A basic text chat implementation
API Reference
Developer Tools
Overview
Archive Inspector
Insights GraphiQL Explorer
Session Inspector
Playground
Pre-Call Test
Vonage Video API Reference App for React
Overview
Release Notes
Manage & Support
Related Blog Posts
Billing and Payments
Sample Apps
Community Slack
Video Express
Overview
Developer Guide
SDK Reference
Release Notes
Video + AI
Overview
Audio Connector
Live Captions
Media Processor
Overview
Android
iOS
iOS (Swift)
macOS
React Native
Web
Windows

Secure Callbacks

You can configure the webhooks you use for Video API to be secured with signed callbacks.

The secure callbacks feature provides a method for your application to verify a webhook callback request is coming from Vonage and its payload has not been tampered with during transit. When receiving a request, the incoming callback webhook will include a JWT token in the authorization header, which is signed with your signature secret.

The following API callbacks can be secured with signed callbacks and configured with their own signature secret:

  • Session monitoring — Monitor session activity by registering a callback URL. Session monitoring webhook callbacks will be sent to the URL when a Session event is detected.

  • Archiving monitoring — Monitor archive status by registering a callback URL. Archive callbacks will be sent to provide status events on archive recordings and the resulting files

  • SIP call monitoring — Monitor SIP call activity by registering a callback URL. An HTTP request will be sent to the URL when a SIP call event is detected

  • Experience Composer monitoring — Monitor Experience Composer activity by registering a callback URL. Experience composer callback events will be sent when the Experience Composer's status changes.

  • Broadcast monitoring — Monitor Broadcast activity by registering a callback URL. Broadcast callback events will be sent when a Broadcast event is detected (for example, when a Broadcast is created, updated, or destroyed).

  • Live captions monitoring — Monitor Live Captions activity by registering a callback URL. Live Captions callback events are sent when live captions start, stop, and fail.

Configuring secure callbacks

The following instructions can be used to enable Session Monitoring a secure callback. You can also follow these instructions similarly for other callbacks (for archive monitoring, SIP call monitoring, and experience composer monitoring).

  1. Log in to your Vonage Video API Account.

  2. From the left-hand menu, select Applications.

  3. For existing projects click on the three dots and select the Edit option and scroll down to the capability section.

  4. For new projects the capability section is displayed after clicking on Create a new application.

  5. Toggle to enable the video option.

  6. The user interface includes options to configure the callback URL and (optionally) a signature secret.

  7. A randomly generated signature secret will be provided by the system each time the signature secret field is enabled. This pre-populated signature secret value can be used or overwritten with a user selected value. When receiving a callback, the incoming webhook will be signed with the signature secret configured in the field. Click Save Changes to configure this secret to be used for secure callbacks. (Note: the signature secret must be character string, with a minimum length of 1 character to a maximum length of 50 characters.).

83w. The system will report that secure callbacks have been configured with the URL and signature secret. Note that updates may take up to 30 minutes to apply the configuration in the platform.

Validating secure callbacks

Validating secure callbacks provides a number of security benefits, including:

  • The ability to verify a request originates from Vonage

  • Ensuring that the message has not been tampered with while in transit

  • Defending against interception and later replay

There are two parts to validating secure callbacks:

  • Verifying the request

  • Verifying the payload (optional)

Verifying the request

Callbacks will include a JWT in the Authorization header. Use the API key included in the JWT claims to identify which of your signature secrets has been used to sign the request. The secret used to sign the request corresponds to the signature secret associated with the api_key included in the JWT claims. You can identify your signature secret through the Vonage Video API Account portal.

Verify the payload has not been tampered with in transit

Once you have verified the authenticity of the request, you may optionally verify the request payload has not been tampered with by comparing a SHA-256 hash of the payload to the payload_hash field found in the JWT claims. If they do not match, then the payload has been tampered with during transit. You only need to verify the payload if you are using HTTP rather than HTTPS, as Transport Layer Security (TLS) prevents MITM attacks.

Code sample

The following Express example shows how to verify a webhook signature. It is recommended you use HTTPS protocol as it ensures that the request and response are encrypted on both the client and server ends.

Known Limitations/Considerations

The following section covers limitations and considerations before enabling this feature.

Callback IP address

Once enabled for secure callbacks, the IP Address range used by the Vonage callback service will be of a different set than previous Video API callbacks. Please allow the following range to enable seamless communication with Vonage secure callbacks: 216.147.0.0/18.

TLS Mutual Authentication no longer applicable

Once enabled for secure callbacks, ‘TLS Mutual Authentication for HTTPs connection’ covered in this support article is no longer applicable and should not be used.

Callback retry and back off policy changes

Once enabled for secure callbacks, there will be a change in behavior for the callback retry and backoff policy.

What will happen if the callback events of my application goes down?

  • Previous behavior: Vonage will retry 4 times for each event that we fail to deliver to the application server.

    For Session Monitoring Only - If the platform detects 50 delivery failures within a 30 minutes time frame, the event forwarding was disabled for Session monitoring callbacks. A notification email was sent to the customer to notify that callbacks were disabled. To re-enable event forwarding, the Session monitoring callback URL needed to be configured again via the Vonage Video API Account Portal.

  • New behavior: After 24 hours, the individual callback retry logic will stop and the individual callback event will no longer be sent. However, callbacks for new events will continue to be attempted.

Important: The session monitoring service no longer disables event forwarding in the case of excessive delivery failures (as was the case in previous versions), since a retry and backoff mechanism is used. You will no longer receive emails on session monitoring callback disruptions, since the service will not be suspended or disabled.

Navigation

Secure Callbacks
Configuring secure callbacks
Validating secure callbacks
Verifying the request
Verify the payload has not been tampered with in transit
Code sample
Known Limitations/Considerations
Callback IP address
TLS Mutual Authentication no longer applicable
Callback retry and back off policy changes