Can't Verify Deauthorization Event Notification using Secret token

API and Webhooks
1

API Endpoint(s) and/or Zoom API Event(s)

(It wouldn’t let me include links in the post, so I put ‘abc’ instead of ‘http’)

  • App Deauthorization Event: app_deauthorized
  • Related documentation: a//developers.zoom.us/docs/distribute/app-submission/common-rejection-issues/#removing-an-app-incomplete-implementation

Description:
Hi, I’m a developer on a team that created a Zoom Marketplace application. Our API needs to handle the deauthorization process when users remove our app from their Zoom account, as outlined in your documentation.

I noticed that in your documentation (Option 2, end of Step 1), you reference a page explaining the Deauthorization request, but that page no longer exists. Why was it removed, and where can we find this information now?

Until now, we’ve been verifying that requests come from Zoom by comparing the AUTHORIZATION header with our Verification Token. However, we saw that you’ve marked this method as deprecated, so we started implementing verification using the Secret Token according to the documentation found here: a//developers.zoom.us/docs/api/webhooks/#verify-with-zooms-header .

Error:
Despite following your documentation process step-by-step, the signature we generate doesn’t match the “x-zm-signature” header we receive from Zoom.

Request example that we couldn’t verify using the new method:
Headers:

x-zm-request-timestamp: 1749365726
x-zm-signature: v0=9e5f9767d4c3739b2d15164974418cb2b0f391b8ac90e11e07eea52903904229

2.Body:

json

{
  "event": "app_deauthorized",
  "event_ts": 1749365726209,
  "payload": {
    "account_id": "MXEuWmOmTsKWUswrfpPslg",
    "client_id": "bDU6oQQ5Qe6sz9mVaMVEyw",
    "deauthorization_time": "2025-06-08T06:55:26.209Z",
    "signature": "18f3b817cd03d164190b0d72755fdf51a33484ed89872838633adf0295fd99d5",
    "user_data_retention": null,
    "user_id": "NtEMagHcQAygosd81Lzysw"
  }
}

After signing this request according to your documentation with our secret key, we generated the signature:
v0=e17efe1622793315201efbe16abbd0e0419ce3d69ed0525593ff83d4bae07af9
But the signature we received in the header was: v0=9e5f9767d4c3739b2d15164974418cb2b0f391b8ac90e11e07eea52903904229

How can we identify where our signature generation is going wrong? We followed your documentation step by step.

Is there an alternative method that’s more similar to the old way of verifying requests come from Zoom, without the hash process that has many potential failure points?

1 Like
2

hi @Uri1 ,

Welcome to the forum.
I have also noticed a couple of other sections where there is missing documentation, and I am working with Zoom to have these added.

I was about to tackle this function next week, so I will add the request to my list, but also report back to you what I find on this particular subject

All the best

John

2 Likes
3

Hi @Uri1
This webhook event only gets triggered when the app is published. So you won’t receive this event now until your app is approved by the marketplace team

4

Hi, our application has been published and is available in the marketplace (Wix App).
Our issue is that we’re unable to verify that Deauthorization requests are coming from Zoom using the new method you suggest (with the secret token) even though we followed the documentation instructions.
we saw in the documentation that the old method (with the Verification Token) is going to be deprecated.
How do you suggest we proceed?

5

Hi @Uri1
Thans for the follow up.
I will send you a DM so I can look further into this