Best practice for linking a Deauthorization webhook with an access token

Format Your New Topic as Follows:

Zoom OAuth

Description
Currently; I am obtaining an access token, parsing the JWT to extract the account ID and storing that account ID with the access token. Once a deauth webhook is received; I find the access token via the account ID and remove it. This feels kind of dirty because I am using the access token itself which is undocumented and subject to change; is there another recommended method for linking a Deauthorization request with an access token?

Error?
N/A

How To Reproduce
N/A

Hi

Are you doing this process each time there is a new access token granted?

What do you mean by “using the access token itself”? Like from when you initially obtain the access token like in the first part of your post?

Ultimately, the account id is the main identifier in the deauth notification webhook and then you use that to isolate the access token which it sounds like you are doing. I do understand the push for more official guidance on this though.

Before I continue, please confirm my present understanding :slight_smile:

What do you mean by “using the access token itself”? Like from when you initially obtain the access token like in the first part of your post?

Many thanks for your response; Yes; so when I initially obtain an access token; I parse it to retrieve the account ID and store it. I then use this to identify which access token to delete when a deauth webhook is received.

@mark.walsh , I’m going to check in with some of our app marketplace specialists to see if there’s any updated guidance I can offer you!