401 error when downloading recording with Server-to-Server OAuth token

Hi @david5
Thank you for your patience and for sharing more details with me.
I have been trying to replicate this issue on my end and I was able to do so.
I will reach out to our Engineering team about this and I will come back to you with an update.
I do not know if this is expected or if this is a bug on our end. (ZSEE-62252 internal ticket for reference)

I will update you shortly.
Best,
Elisa

Hi @david5
I did some testing on my end and what I did was that I grabbed the download_url from the payload that I received with me recording.complete webhook and then I used the download_url along with the download_token received in the same payload to get the recording, like so:

curl --location --request GET 'https://us02web.zoom.us/rec/webhook_download/{long_String}?access_token={download_token_from_payload}' \

Could you please give this a try and let me know if this works?

@elisa.zoom Using the download_token from the webhook message works fine (always has). The problem is that the token is only good for 1 hour after the message is received. If I need to reprocess the message or download the recording at a later date, I am unable to do so because my Server-to-Server OAuth token is not accepted in this scenario.

Right… let me reach out to the proper team about this and will come back to you with an update.
@david5

@elisa.zoom Curious what you were able to find related to this particular issue?

Hi,
I am having the same issue with trying to download a recording using a server-to-server OAuth access token and I am getting a 401 error, whereas if I use my old JWT token it works fine. I’m wondering if there is any progress on this issue?

@elisa.zoom What were you able to find regarding this issue?

Hi @david5
Unfortunately I do not have any updates at the moment

@elisa.zoom I was wondering if there were any updates here? It seems we’re not receiving the “download_token” field in our “recording.completed” webhook event and still are not able to use the Server to Server OAuth access token for downloading. There’s no good workaround other than to fail back to the JWT app type for this particular use case which I’d like to avoid if possible.

@david5 @pfa_zoom please confirm the following :

  • recording:read:admin scope on Server-to-Server OAuth app
  • That you have the Recording management and View the recording content permissions assigned on the user role that’s trying to download the recording

Thanks.

Hi, All
I have the same problem.
I think zoom will shutdown JWT app type end of next month. Is the issue fixed? If no, We will lost way to download recording file without only 1 hour token. That is very bad for our program.

Thanks

Hi @daichi ,

Can you please confirm the following?:

@gianni.zoom

Yes, My app have following scopes

View and manage sub account’s user meetings /meeting:masterDelete
View all user meetings /meeting:read:adminDelete
Get a meeting’s encoded SIP URI /meeting:read:admin:sip_dialingDelete
View and manage all user meetings /meeting:write:adminDelete
View live streaming meeting token information /meeting_token:read:admin:live_streamingDelete
View local archiving meeting token information /meeting_token:read:admin:local_archivingDelete
This scope allows an app to view an account’s users’ local recording meeting token information /meeting_token:read:admin:local_recordingDelete
View all user recordings /recording:read:adminDelete
View and manage all user recordings /recording:write:adminDelete
View all user information /user:read:adminDelete

Currently the app uses download_token instead.
Because s2s’s token was not pass authentication with download.
Thanks

Dear All,
I confirm that I have the same problem.
There are any updates?
Please let me know,
thanks
Best regards

Hi All,

I can reproduce. I just submitted a bug ticket as high priority (ZSEE-91225). I’ll share progress as it becomes available. Thanks!

2 Likes

It was not correct. “download_token” has 1 DAY untile expire. :sweat_smile:

@gianni.zoom

Thank you. Once you’ve resolved this issue, I plan to rewrite my app’s code and share a report to everyone.

1 Like

All, in the mean time while we wait for further investigation into the use of S2S OAuth tokens in recording webhook (e.x. recording.completed) download_url access_token field, can you please confirm that you can successfully use {{baseUrl}}/meetings/{{meetingId}}/recordings to get recorded meetings?

Thanks!

@gianni.zoom

Hi,
I tried

curl -H "Authorization: Bearer MASKED_S2S’sTOKEN_STRING“ https://api.zoom.us/v2//meetings/SOMEMEETINGID/recordings

It looks working. I got some json strings with HTTP Status 200.
The json has topic,recording_files and download_url I maked.

And then, I tried

curl -H “Authorization: Bearer <S2S’s ACCESS_TOKEN>” https://{{base-domain}}/rec/archive/download/xyz

It returned HTTP Code 302 with “long url”(it was point to a recording file).
so I can download from “long url” without any token.

1 Like

Hi @daichi @kirolive @david5 @pfa_zoom @jbassi ,

It’s been confirmed that the webhooks do not support OAuth or Server-to-Server OAuth tokens for cloud recording downloads. This is actually expected behavior and there’s been a request to change the documentation to correct the misguidance.

It is recommended that if you want to download cloud recordings after the webhook download_token has expired, use Zoom Meeting API .

I will submit a feature request to the platform PM to support S2S and OAuth tokens for webhook download_url.

FYI @elisa.zoom

Feature request ticket: Allow OAuth Tokens to Download Cloud Recordings from Cloud Recording Webhooks (ZSEE-92020), (DEVELOPERS-3922).

2 Likes