"API Call Logs" for my "Created Apps" contain calls my created apps didn't make

When I go to my list of Created Apps in the Marketplace, there are two apps: a JWT app and a Server-to-Server OAuth app. I created these nearly identical apps for my client, and am replacing the JWT app with a near-identical Server-to-Server OAuth app because JWT apps are being shut down by Zoom as of 9/1/2023.

These two apps make exactly one API call: a POST to /v2/users/[user-id]/meetings to create a Zoom meeting. But the JWT app’s API Call Logs (reached by clicking the three dots next to the app in my list of “Created Apps” and choosing “View Call Logs”) show API calls that my two apps simply never, ever make. And yet, these logs are prefaced very specifically by the text “below are the Zoom Open API call logs generated by the apps you have developed”.

I am absolutely certain that neither of these apps are making some of the calls in these logs. There are many GETs and PATCHes to endpoints I don’t even recognize. Furthermore, the user-agent for the calls made by my “Created Apps” is always axios/0.21.4; that makes sense - my app uses Axios for XHR requests. All of the calls I don’t recognize, however, have user-agents like python-requests/2.28.1.

I suspect, but don’t know, that this user-agent is, in fact, the Zoom desktop client. And I suspect, but don’t know, that these unrecognized requests are being made by apps in my client’s list of “Added Apps” (third-party apps from the Marketplace that my client has installed).

But I don’t know that for sure, and I need to know that. Because I don’t want to delete my client’s JWT app (mandatory as of 9/1/2023) and suddenly have these mystery GETs and PATCHes fail because perhaps they’re being made by people in my client’s organization (their main account has many sub-accounts), who, somehow (???) are relying on the JWT app for authentication.

Has anyone else encountered this? Can someone from Zoom support shed some light here? Time is tight; I have to complete this migration by September 1 or have Zoom remove my client’s still-in-use JWT app. Thanks very much.

Our organization made the transition from JWT to Server-to-Server OAuth and any time I looked at the API Call Logs, I could vouch for every request that appeared there (we call the APIs exclusively from a web server). It sounds like you have some detective work to do on how your application’s credentials are being misused or perhaps unintentionally exposed. Perhaps you can study the network traffic in your customer’s environment to see how many are destined for the IP addresses for api.zoom.us and whether the origin IP address and port are what you expect, then investigate the device to see what process is using that port. You might be able to regenerate the credentials to force an early failure on your preferred schedule in advance of the deadline.

Follow-up to my original post above: I’ve definitively determined that third-party apps I have installed on my account (that is, my account’s “Added Apps”) are the source of the API calls in the call logs (which are supposedly only from my account’s “Created apps”). For example, Rev, a popular real-time transcription app, which requests a livestream of the current meeting and accounts for API calls such as PATCH requests for https://api.zoom.us/v2/meetings/[meeting-id]/livestream, is an example of this.

Zoom, it would have been great to hear from you about this issue I can’t be the only developer who’s encountered it.

Thanks @MultiplayerSession. I’ve determined that these seemingly “rogue” calls in my “Created App” call logs are in fact coming from third-party apps I have installed on my account (for example, Rev makes API requests converning a livestream) - what Zoom calls “Added Apps”.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.