Issues with (CRC) for webhook API validation

I’ve been working on implementing CRC validation for our existing webhook application in anticipation of the changes required for October.

It is a Java servlet I created specifically to test the validation. The app does nothing but validate and return the JSON object. When I test the validation, the validation fails. The app is “Webhook_validation” and calls this endpoint [redacted]

When I test it, I get the proper JSON object returned and I doubled checked the HMAC using online tools to verify that my logic and encryption using the Secret Token was correct. I can’t see anything wrong with the response. Tested it locally in my development environment and remotely using Postman.

I don’t see anything in the logs. Can you tell what is going wrong? Seems pretty straightforward

Hi @pete_h
Thanks for reaching out to the Zoom Developer Forum!
I see you are having trouble validating your Webhook application
Have you taken a look at our sample app here?

Thanks Elisa,

Yes I have. My issue isn’t with the Webhook itself since I have had a webhook running for years. But because I need to change the validation of that webhook, I created another webhook with the new validation using the secret token CRC. Using Postman, I sent a sample payload to that webhook and then evaluated the returned json and it all looks great, but the option to validate the webhook fails when I test it from the marketplace website.

I can send you the endpoint and secret token privately since it isn’t a public URL, if you want to test the return yourself.



Hi @pete_h
Thanks for the update.
So when you click the button validate in the Marketplace, you are receiving the plainToken just fine, correct?

You should be getting something like this:

  "payload": {
    "plainToken": "qgg8vlvZRS6UYooatFL8Aw"
  "event_ts": 1654503849680,
  "event": "endpoint.url_validation"

Then you should be sending back to Zoom a plainToken and encrypted token (built with the secret token), something like this:

  "plainToken": "qgg8vlvZRS6UYooatFL8Aw",
  "encryptedToken": "23a89b634c017e5364a1c8d9c8ea909b60dd5599e2bb04bb1558d9c3a121faa5"

Are you able to send the CRC back to Zoom?

Yes…I could post the results without the secret if you want. It is exactly like that. I can debug the program and capture the payload and then grab the response by using Postman and just manually verify the HMAC to make sure the encryption is correct. It all looks good so there is something subtle causing the Marketplace verification to fail.

Thanks @pete_h
I will send you a private message and you can follow up there.

Hi everyone!
@pete_h was able to find a solution to his issue and I am sharing his findings here so the community can be aware of it:

The HMAC was properly encoded but what I noticed was that the alpha characters in hex at my end were created as upper case. I initially didn’t care because hex is not case sensitive but you folks must treat them as such.

So I changed the logic to produce the hex in lower case and it now verifies! So, my recommendation is that you ignore case at your end by either changing the encryptedToken to upper or lower case at your end for the comparison or you expressly state in your developer example that the Hex MUST be in lower case.

As soon as I changed the hex to lower case, the validation succeeded.


And , just to be completely clear: The hex encoding must be lower case because Zoom expects the encryptedToken HMAC to be in lower case. Once I changed it to lower case, it validated successfully.

1 Like