Invite URL password hash

API and Webhooks
1

Not quite REST API related, but couldn’t find a better place.

When creating a meeting with a password using the scheduler plugin, there is pwd parameter with what appears to be a hash of the numerical meeting password. What is the hash used?

Example:
https://xxx.zoom.us/j/602226XXX?pwd=UzlBbktJMjZib255L1huQlhkLzBvQT09

2

Hi @chaseadam,

The value of the pwd parameter is a hash that is essentially your meeting password encrypted.

Thanks

3

Thanks! If I know the password of a meeting how do I generate the parameter?

4

Checking back to see how this value is generated if I have the meeting ID and plaintext password.

5

Hi @chaseadam,

Are you referring to how to generate the hash correct? If so, its generated by our backend and not the user.

Thanks

6

Hi Michael, We want to send the zoom meeting link with the password hash to our participants. If the Zoom backend generates the hash, how do we capture that without having access to it through the API?
Thank you

7

Hey @jeckstein,

Can’t you just send the join_url to your participants with the password in the query param?

Thanks,
Tommy

8

No Tommy you can’t because if the pwd is not hashed it does not recognize the password in the query param. I just tested it out without a hash and it asked for the password.

Are we allowed to know how to hash the password so we can send the join_url with the correctly formatted pwd hash?

OR

If the meeting is created using the Zoom API and a password is provided does the API send back a response object with the hashed password in the join_url value? Perhaps in a different key => value pair? The response object example in the documentation does not have a password set.

9

Hey @bizstim.apps,

May I ask how the password is being generated? Are you creating one using the Create Meeting endpoint, or is the Zoom Web Portal creating one for you?

Screenshot of the flow would be helpful.

Thanks,
Tommy

10

The zoom API: create meeting has a password field so I send the following post array via the cURL procedure which will format it into a string, for example:

$password = 8 character numeric number that is generated by my server.

$post_data = [
‘topic’ => $session_description,
‘type’ => 2, //scheduled meeting
‘start_time’ => $session_date.‘T’.$session_start_time.’:00’,
‘duration’ => $session_minutes,
‘password’ => $password,
‘settings’ => [
‘host_video’ => $host_video,
‘participant_video’ => $participant_video,
‘cn_meeting’ => $cn_meeting,
‘in_meeting’ => $in_meeting,
‘join_before_host’ => $join_before_host,
‘mute_upon_entry’ => $mute_upon_entry,
‘watermark’ => $watermark,
‘audio’ => (string) $getZoomSettings[‘audio’],
‘auto_recording’ => (string) $getZoomSettings[‘auto_recording’],
‘enforce_login’ => $enforce_login,
‘waiting_room’ => $waiting_room
]
];

If the password field is populated within the request, will ZOOM send a response with a join_url and start_url with “?pwd=<hashed_password>” within the response? Is there an additional key=>value pair provided within the response to show the hashed password? OR, do we have to send the link and password separately to our customers?

I ask because the documentation does not have an example of a request-response for a set password.

Thanks for your time and patience.

11

Hey @bizstim.apps, and everyone,

Here is a the request/response from a meeting I just created with a password:

POST https://api.zoom.us/v2/users/me/meetings

BODY:

{
	"topic":"Test Password",
	"type":2,
	"start_time": "2020:04:05T00:00:00Z",
	"duration": 30,
	"password": "1234@"
}

Response:

{
    "uuid": "",
    "id":,
    "host_id": "",
    "topic": "Test Password",
    "type": 2,
    "status": "waiting",
    "start_time": "2020-04-03T03:39:39Z",
    "duration": 30,
    "timezone": "America/Denver",
    "created_at": "2020-04-03T03:39:39Z",
    "start_url": "",
    "join_url": "https://tommygaessler.zoom.us/j/meetingID?pwd=UjJQTENnamVFMEpQN2tVUHRHZmY4Zz09",
    "password": "1234@",
    "h323_password": "232607",
    "pstn_password": "232607",
    "encrypted_password": "UjJQTENnamVFMEpQN2tVUHRHZmY4Zz09",
    "pmi": "",
    "settings": {
...

As you can see there are variations of the password, and the join_url has the encrypted password already so clicking on the join_url will automatically pass in the password.

If typing in the password, you will use in the numeric password.

Does that clear things up?

The hash is generated via our backend and we cannot share the algorithm that does this to generate the hash with the plain text meeting password.

Thanks,
Tommy

12

Perfect. That is exactly what I needed. Thank you.

1 Like
13

You are welcome! :slight_smile:

Thanks,
Tommy

14

Looks like this is double base64 encoded :man_facepalming:

$ pbpaste | base64 -d
R2PLCgjeE0JP7kUPtGff8g==                                                                                             ➜  app 
$ pbpaste | base64 -d | base64 -d
<binary data>
1 Like
15

Hi @isaacly if you’re looking for additional protection on meetings, I’d suggest also implementing unique join_urls by requiring meeting registration. Adding a registrant to a meeting via API will generate unique join urls in the response.

17

Closing this topic.

Thanks,
Tommy