Can't find a verification token for Server-to-Server OAuth app

I created Server-to-Server OAuth app. All works fine including webhooks. But how can I make sure that the webhook came from the zoom app? I can’t see any verification token on the features tab.
For info
When I receive a webhook, the request contains an authorization header, which I expect is the verification token. But what should I compare it to?

Hello Pavel, welcome to the Zoom Dev Forum!

The Zoom Webhook Reference (Headers) docs details the authorization header is a verification token that Zoom provides to help ensure that the webhook request is originating from Zoom.

When you setup your webhook endpoint in the Marketplace App Settings page, this verification token was generated and is static for this purpose. You can store this token in an environment variable that your application can use to verify the token matches.

When I setup my webhook endpoint (Server-to-Server OAuth app), I do not see any verification token. Where can I find it?

For OAuth and JWT apps the verification token is presented in the features tab when at least one webhook is configured.

Correct, that is the verification token that Zoom will submit to your webhook endpoint(s). All you need to do is copy this into your apps environment settings so you can use it to verify the webhook request authorization header matches this token.

My apologies, I just started at Zoom last month and discovered I do not have this exact app type in my dev account to reference. I understand what you asking now and will circle back once I have the correct information.

Yes, we are talking about a new Server-to-Server OAuth app.
For this type of application the verification token is missing from the features tab.

Thanks in advance!

OAuth app has a Deauthorization notification.

I would like to know if such an option is planned for the Server-to-Server OAuth app. I can’t find information about this anywhere.

Hi @spvfullstack ,

The deauthorization notification happens when the app is uninstalled by a user. Since the server-to-server apps “cannot be installed” or rather does not require user authorization, it will not have the deauthorization notification.


Follow up on this issue, the missing verification token UI does appear to be a bug in our UI for Server-to-Server OAuth apps configuration.

The team is aware of it and should be resolved in a future release, however I do not have an exact date at this time.