Authenticate webhook POST from Zoom

The documentation for webhooks at https://marketplace.zoom.us/docs/api-reference/webhook-reference says that an ‘authorization’ header is sent by Zoom and the value can be compared to the Verification token shown on the Features page of my Marketplace app.

I have a number of webhooks being sent, none of which contain the ‘authorization’ header, that I can see. None of my logs show the verification token string being sent at all, anywhere in the POST request, as a header or otherwise.

Am I missing something?

I really need to authenticate POST requests to my endpoints; the only thing unique I see right now is a ‘clientid’ header.

Any ideas?

Hey @stevejohnson,

What language are you using for your server?

The verification token should be included, but depending on how you are receiving requests it could differ where in the header to find it.

Thanks,
Tommy

PHP

This is output of PHP’s getallheaders() (sensitive values 'x’ed):
Array
(
[User-Agent] => Zoom Marketplace/1.0a
[Connection] => Keep-Alive
[Host] => xxxxxx.net
[Content-Length] => 290
[Content-Type] => application/json; charset=utf-8
[X-Zm-Trackingid] => Webhook_409f4a3e202c4f39b3ca598e4ddaff38
[Clientid] => xxxxxxxxxxxxxxxxx
)

And the relevant part of $_SERVER (again, 'x’ed)
[HTTP_USER_AGENT] => Zoom Marketplace/1.0a
[HTTP_CONNECTION] => Keep-Alive
[HTTP_HOST] => xxxxxxxx.net
[CONTENT_LENGTH] => 290
[CONTENT_TYPE] => application/json; charset=utf-8
[HTTP_X_ZM_TRACKINGID] => Webhook_409f4a3e202c4f39b3ca598e4ddaff38
[HTTP_CLIENTID] => xxxxxxxxxxxxx

Hey @stevejohnson,

I belive the issue is on your PHP server configuration side of things. Checkout this stackoverflow:

Thanks,
Tommy

Thanks for that, didn’t occur to me to look there.

1 Like

Let me know if you resolve the issue @stevejohnson! :slight_smile:

Thanks,
Tommy