Invalid signature after migrating to SDK JWT (v2.9.7)

I’m adding this post just for a future reference for anyone looking for a solution for “Invalid signature” error message after migrating to the new SDK JWT auth.

If you’re sure you’re using new SDK app type, your JWT contains right payload, and it’s signed using right SDK key, but still you’re getting “Invalid signature” error, give it a try.

In my case, the reason was iat payload attribute, which stands for “issued at”. According to the documentation, this value should have UTC timestamp. In addition, in the sample app this value was then decreased by some seconds (like 30 or so). This is not enough, as API seems to reject JWT tokens issued at a time which differs too much from a Zoom server time. Probably in my case the difference was like 2 minutes or so comparing to the server time on Zoom side.

Decreasing current timestamp by some higher value like 120 seconds, solves clock difference issue between Zoom server and our servers.

I highly recommend to allow some higher margin on Zoom API side.
For now, what we - developers - can do is to decrease the iat by some reasonable value - it costs us nothing but we’re sure that time difference won’t cause signature issue.

Hope that solves your issue and saves days of troubleshooting (2 days in my case).

Rad

Thank you so much @nowrad for documenting this and sharing a fix. We appreciate your contributions to our community!

Update: yesterday, with a stable connection, I started getting “Invalid signatures” randomly. There were no changes in the code, it just stopped working suddenly. I decreased iat even more from 120 to 400 and that solved the issue again. I guess that’s because traffic going through loadbalancer and being redirected to different servers with slightly different time on board. Don’t have other explanation why it was random and decreasing iat helped immediately.


can you show how generate sdk signature, iat time is second. if iat > zoom server time, or exp time > zoom server time, will cause this issue.
@nowrad

In your code, for iat you subtract 30 seconds. In my case it’s 420.
For exp, I add a bit more than 2h. You can multiple by 4 instead of 2 just for testing.

Here is the working PHP code for generating signature:

use Nowakowskir\JWT\JWT;
use Nowakowskir\JWT\TokenDecoded;

//...

$iat =  time() - 420;
		
$tokenDecoded = new TokenDecoded([
    'sdkKey' => '<your sdk key>',
    'mn' => '<your meeting number>',
    'role' => 0, // or 1 depending on your needs
    'iat' => $iat,
    'exp' => $iat + 17200,
    'apiKey' => '<your sdk key>',
    'tokenExp' => $iat + 17200,
], [
	'typ' => 'JWT'
]);

$signature = $tokenDecoded
	->encode('<your sdk secret>', JWT::ALGORITHM_HS256)
	->toString();

//...

@JackYang