Clarification on Webhook Validation with Zoom RTM SDK

We are currently integrating Zoom RTM Webhooks into our application and have encountered an issue with the validation process.

Zoom requires a single webhook URL that is used for two purposes:

1. Validation – Zoom sends a request with a plainToken that our server needs to echo back in a specific format.

2. Events – After validation, Zoom sends event payloads (e.g., meeting started, participant joined) to the same URL.

The challenge we are facing is that the Zoom SDK we are using appears to spin up an internal server and only exposes event handler functions. It does not expose the underlying HTTP endpoint, so we are unable to handle the initial validation request directly. Since both validation and events are sent to the same URL, we are stuck at the validation step.

Our questions are:

1. Is there a recommended way to handle the validation request when using the SDK?

2. If not, is it possible to configure the SDK so that we can intercept or extend the raw HTTP endpoint to respond to validation?

3. Could you confirm the exact response payload expected for the validation request (e.g., plainToken vs. encryptedToken format), so that we can prepare a workaround if needed?

In short, the issue is that Zoom expects the same webhook URL for validation and events, but the SDK does not currently provide a way to respond to the validation request.

Any guidance or examples on how to resolve this would be greatly appreciated.

@lingolet Thank you for reaching out about this!

Webhook Validation is currently only supported within Webhook Only applications. However, Webhook Only applications do not currently have the RTMS events available to them.

What this means is that the marketplace itself does not yet support a flow that includes webhook validation.

With that being said, I think I should be able to add support for automatic Webhook Verification using an environment variable for the secret and the POST headers of the event.

You can always spin up your own webhook server and call RTMS from within that server instead of the built-in onWebhookEvent. If it’s useful, I can add an option to disable that webhook server as well.

We should have some examples of this in our Webhook Validation docs.

Let me know if that helps!

We’re running into a similar issue really wish the SDK exposed the raw HTTP layer for more flexibility. It’d be great if Zoom allowed separate URLs for validation and events. Following this thread closely in case anyone finds a clean workaround.