Meeting SDK Type anv Version
- SDK Type: Web
- Version:
@zoom/meetingsdk v3.13.2
Description
We are integrating the Zoom Whiteboard feature using the Web Meeting SDK into our Next.js application. Our goal is to have a stable, cross-browser experience.
The Whiteboard loads and functions perfectly in Google Chrome. However, it consistently fails to load for our users in Firefox. The UI displays an “invalid token” error after a timeout.
Through debugging, we’ve determined that the failure is due to a missing authentication header, a JWT we’ve identified as wbk (Whiteboard Key?). This header is present in successful Chrome requests but is absent in Firefox, causing the API call to be rejected.
Our objective is to find the official, server-side method to obtain this wbk token so we can inject it via our proxy, creating a solution that does not rely on browser-specific fallbacks. Alternatively, we would of course be happy with support in how to enable the sdk to successfully initialize the authentication itself.
Error?
The primary technical error is a 401 Unauthorized response when the SDK’s embedded iframe attempts to make a GET request to the Whiteboard API.
Successful Chrome Request Headers (HTTP/2):
:authority: nws.zoom.us
:method: GET
:path: /nws/das/api/v1/projects?pageSize=50
:scheme: https
accept: application/json, text/plain, */*
origin: https://zoom.us
referer: https://zoom.us/
sec-fetch-mode: cors
sec-fetch-site: same-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
wbk: eyJ0eXAiOiJKV1QiLCJrIjoiWnNIVlhaZngiLCJ6bV9z...
x-zm-aid: y5Dt8BGLR4e_Rjb....
x-zm-haid: 630
zm-scenario: Client in-meeting
Failing Firefox Request Headers (HTTP/2)
Host: nws.zoom.us
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Origin: https://zoom.us
Referer: https://zoom.us/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
The clear difference is the presence of the wbk header in the successful request.
Troubleshooting Routes
We have exhausted the following troubleshooting paths:
-
CORS Proxy: We successfully resolved all CORS issues by implementing a server-side proxy for requests to nws.zoom.us, as recommended in other developer threads.
-
Cross-Origin Isolation: We have correctly implemented a fully enforced Content-Security-Policy, Cross-Origin-Embedder-Policy: require-corp, and Cross-Origin-Opener-Policy: same-origin. The meeting itself now loads perfectly in Firefox without any security policy errors, but the 401 on the Whiteboard API persists.
-
ZAK Token: We have tried generating a ZAK token on our server and have tried both embedding it in the Meeting Signature JWT and passing it directly in the ZoomMtg.join() call. Neither approach solved the 401 error, i.e. the wbk header is still not present.
-
wbk JWT Analysis: We decoded the wbk from a working Chrome session and confirmed it is a JWT signed with the ES256 algorithm. This proves it can only be generated by Zoom’s servers, as we do not have the private key.
-
SDK Source Code Analysis: We analyzed the Whiteboard’s own JavaScript (app.817494cd.js) and confirmed it expects to receive the wbk from its host environment via a postMessage call (RESPONSE_TOKEN). This communication appears to be what is failing in Firefox, likely due to stricter storage partitioning.
How To Reproduce
-
Authentication Method: We use a Server-to-Server OAuth app to generate an access token. This token is used to call the /users/{userId}/token?type=zak endpoint to get a ZAK token for one of our ISV users. We also generate a standard Meeting SDK JWT Signature for joining the meeting.
-
Steps:
-
Initialize and join a meeting using ZoomMtg.join() with the SDK JWT signature in a web application that is fully cross-origin isolated.
-
After successfully joining the meeting, initiate the Whiteboard feature.
-
-
Errors: In the browser’s developer console, observe the 401 Unauthorized network error on the GET https://nws.zoom.us/nws/das/api/v1/projects request.
-
Browser/Client: Latest version of Firefox on macOS.