Hi Zoom Developer Community,
Here are all the changes of this May EP release.
— REST API: —
New:
- Version 2 - Retrieve User Permissions API
Enhancements:
- Added new parameter (topic) to “v1/metrics/meetings” and “v1/metrics/meetingdetail” APIs.
- Added new parameter zak to User Get API:
Added new parameter (zak, used for generating the start meeting url.) to “v1/user/get” API
Added new parameter value (type=zak, used for generating the start meeting url.) to “v2/users/{userId}/token” API
- Changed the format of “start_url” value from “/s/{meeting_number}?zpk=xxx” to “/s/{meeting_number}?zak=xxx” in the following APIs
- v1
/v1/meeting/get
/v1/meeting/create
/v1/webinar/get
/v1/webinar/create
- v2
GET /v2/meetings/{meetingId}
POST /v2/users/{userId}/meetings
GET /v2/webinars/{webinarId}
POST /v2/users/{userId}
- Add new parameter (account_id, cms_user_id) to “GET v2/users/{userId}” API
Fixes:
- Delete Assistant API Call not working
- “meeting_id” in retrieving meeting recording file API response is meeting number
— Webhooks: —
Enhancements:
- Add host’s accountId to recording_completed payload
- Add meeting id and host_id to participant_joined/left payload
Should this be posted on release note (note) ?
And I have no idea when releases will become available after the ANNOUNCEMENT.
The change has affected our system, but none of us get the notification.
This change broke our integration, too, and this announcement does not mention that the start url links expire after 2 hours, either.
Please improve your communication related to such critical changes.
Thank you.
Hi Everyone,
Thanks for your concerns, we are in the middle of changing our internal processes. Moving forward, we will announce any API updates 10 days prior to release.
Thanks
Michael
Hi Michael and Zoom team, this May update was a breaking change. Start URLs were previously valid indefinitely; after this change, they expired after 2 hours. For my company and for others who used the start URL to let users access meetings, this was a fundamental breakage. This announcement was posted two days in advance and did not refer to the breaking change.
In general, breaking changes to APIs are announced months in advance by the provider. 10 days is an unreasonable timeframe; most companies will not be able to drop everything and prioritize API integration changes within such a short period.
Hi Nick, First of all, there should be no regression from our end - we are investigating that and fix our internal test cycles to make sure that we don’t introduce them going forward. We completely understand your pain point. If at all we need to add a breaking change (the only reason being patching security vulnerabilities), we will provide advanced notice (as early as we know of it and predict a release vehicle for that change).
To Annie’s point of posting the changes to release notes, we will post it there as well but will continue to update the forums as this provides an opportunity for us to hear your feedback and concerns.
Hi Nick, This is Michael Developer Advocate at Zoom, we apologize for any inconvenience and also clarify why the change was needed to take place immediately.
There was a security issue with the start-url zpk parameter. An attacker could generate a valid access token for any Zoom account, regardless of their organization, if they knew the userID for any account. This is why we had to change from ZPK algorithm to ZAK.
For those reasons, we have to limit the expire time to two hours but since this is breaking the current flow of our customers we are looking to extended the expire time for the ZAK parameter to 90 days during our May Release.