I have searched, but I cannot find an answer to this. I set up a webhook only app. I cloned the repo here. GitHub - zoom/webhook-sample-node.js: Receive Zoom Webhooks both using the deploy button and the manual deploy. I was able to use my own values to ping the page from postman and I got a successful response, but I cannot get the app to validate. I realize that the plainToken value is different every time, but I have combed through the code and everything seems correct. I compared to the documentation and it looks like everything is there, so I can’t figure out what I’m doing wrong.
After looking at my Heroku logs I have verified that this is the issue. The signature hash doesn’t match the header value x-zm-signature.
if (req.headers['x-zm-signature'] === signature) {
This is the code that creates the signature hash
const hashForVerify = crypto.createHmac('sha256', process.env.ZOOM_WEBHOOK_SECRET_TOKEN).update(message).digest('hex')
I am facing the same issue here.
Following the docs and creating a valid SHA256 Hex digest code does not validate the webhook event subscription.
Does anyone solve this in any way? Any help will be apreciated
Thanks in advance
1 Like
Hey @salachniewicz , @joao.carvalho ,
Make sure you are setting your Webhook Secret Token in an environment variable named ZOOM_WEBHOOK_SECRET_TOKEN . The code in the sample should handle the rest. 
Please let me know if that helps!
Thanks,
Tommy
Yes I did that. I even hard coded it in the index.js file to verify. I used postman and hard coding my own values I seem to be able to get it to give a valid response, but not when I test from zoom
Hi @Stan many are having a problem validating and waiting on a solution so it may not be your issue. Here are my thoughts and am waiting on confirmation or contradiction. Best
The thing is, I checked the Heroku logs and I can visibly verify that the signature and header don’t match.
Happy to post screenshots of stuff if it helps.
oh sorry you are asking about verifying and not validating. So probably not your issue. I was having the same issue verifying until I realized that the stucts (golang) I was building with the payload were not set up exactly the same as the webhook payload. I had to print out the payload and arrange my object to match it exactly so when I encoded they would match. also check if your signature string to be encoded looks similar to this
v0:{WEBHOOK_REQUEST_HEADER_X-ZM-REQUEST-TIMESTAMP_VALUE}:{WEBHOOK_REQUEST_BODY}
Example string with printed values:
v0:1658940994:{"event":"session.started","payload":{"account_id":"{ACCOUNT_ID}","object":{"st
and comparing signature looks like this
v0={HASHED_MESSAGE}
Thanks @harold for pointing this out.
The Webhook Secret Token is used for two things:
It is important to understand that clicking the verify button in the marketplace webhook build flow triggers 1.
-Tommy
Well I’m specifically talking about the blue button when creating an event notification. Hope I didn’t word it wrong. Let me take a look at what you wrote and see if I notice an issue with what I have.
1 Like
the blue button is issue #1 which is the issue I am referring to.
Ok so here’s the code, it’s straight from the github node app, I didn’t modify anything.
const message = v0:${req.headers['x-zm-request-timestamp']}:${JSON.stringify(req.body)}
const hashForVerify = crypto.createHmac(‘sha256’, ‘’).update(message).digest(‘hex’)
const signature = v0=${hashForVerify}
And when comparing that to the header, it seems to not match
if (req.headers[‘x-zm-signature’] === signature) {
Which I confirmed in the Heroku logs
Yeah as Tommy said those are 2 different steps. Your code is for 2. You validating the request came from Zoom
the blue validate button is for
Hey @salachniewicz ,
For validating the URL, just make sure you are following this if block step:
Thanks,
Tommy
Yea so that’s all there, I really wonder if the hash is right because the req.headers are not equal to the signature variable. But I see that that line is commented out on yours, should I do the same?
So Harold are you saying this is a known issue and nothing I can do to fix at the moment?
I don’t know why I asked, I should have just done it. I commented the code at as seen in the screenshot above and it validates! Thank you all so much for your help!
1 Like