Jwt authentication starts return 401 at 2023-06-09 13:00 UTC+9


We have using JWT server-to-server authentication

and several days ago heard JWT has deprecated at June 1, and extended end-of-life date to September 1.

from Migrating the Zoom app in Azure to OAuth – Zoom Support

but today JWT authentication starts return 401 suddenly at 2023-06-09 13:00 UTC+9

We not updated any programs, account settings, APIs.
but some accounts are meet this trouble, some are normal.

401 case response =>
https://api.zoom.us/v2/users/[!!!EMAIL!!!] >>> [401]Unauthorized
[2023-06-09 14:21:07,432] [ERROR] response >>> {“code”:124,“message”:“Invalid access token.”}

[2023-06-09 14:21:07,430] [ERROR] null : [HTTP/1.1 401 Unauthorized]
[2023-06-09 14:21:07,430] [ERROR] expires : [Thu, 01 Jan 1970 00:00:00 GMT]
[2023-06-09 14:21:07,430] [ERROR] CF-RAY : [7d46ede29f5e0aa6-KIX]
[2023-06-09 14:21:07,430] [ERROR] Server : [cloudflare]
[2023-06-09 14:21:07,430] [ERROR] Connection : [keep-alive]
[2023-06-09 14:21:07,430] [ERROR] pragma : [no-cache]
[2023-06-09 14:21:07,431] [ERROR] Date : [Fri, 09 Jun 2023 05:21:07 GMT]
[2023-06-09 14:21:07,431] [ERROR] set-cookie : [zm_aid=“”; Domain=.zoom,us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly]
[2023-06-09 14:21:07,431] [ERROR] CF-Cache-Status : [DYNAMIC]
[2023-06-09 14:21:07,431] [ERROR] NEL : [{“success_fraction”:0.01,“report_to”:“cf-nel”,“max_age”:604800}]
[2023-06-09 14:21:07,431] [ERROR] content-disposition : [inline;filename=f.txt]
[2023-06-09 14:21:07,431] [ERROR] Cache-Control : [no-cache, no-store, must-revalidate, no-transform]
[2023-06-09 14:21:07,431] [ERROR] x-content-type-options : [nosniff]
[2023-06-09 14:21:07,432] [ERROR] Report-To : [{“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=kUP6eIFumxmOgaU7wLxLOMPtvbGzHU9o%2F4AlLLMjrsU5M5MWBEChYYLEYyRsa2ntXxS4LeTe3s4LX%2F4xgROWIZrhfy%2BpH2%2BZhId5uUOwArviNfF8KutDd8QWQcu3”}],“group”:“cf-nel”,“max_age”:604800}]
[2023-06-09 14:21:07,432] [ERROR] Set-Cookie : [__cf_bm=etQof5LPpx8a5neJxc9hveVC6I6qdDbEBBTIyAXqdUg-1686288067-0-AQBbsrLzcV+L3eaA4evaK1By3x4y7XUYHgrygUHkPRxcFMiIyqhPK2hG4nHvV9bC7f3cPtZFTAxgVyZIiOBxcqg=; path=/; expires=Fri, 09-Jun-23 05:51:07 GMT; domain=.zoom,us; HttpOnly; Secure; SameSite=None, _zm_mtk_guid=46e36d98e4ad4364afa79f967ed813e7; Domain=.zoom,us; Expires=Sun, 08-Jun-2025 05:21:07 GMT; Path=/; Secure, _zm_chtaid=840; Domain=.zoom,us; Expires=Fri, 09-Jun-2023 07:21:07 GMT; Path=/; Secure; HttpOnly, _zm_ctaid=KZcborBqTfeoRvYiuVheug.1686288067106.38d28646cd4a14dd8fe82622630b4531; Domain=.zoom,us; Expires=Fri, 09-Jun-2023 07:21:07 GMT; Path=/; Secure; HttpOnly, cred=C6A0890F6B696A9DB20AAE2164A31743; Path=/; Secure; HttpOnly, zm_htmaid=“”; Domain=.zoom,us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly, zm_tmaid=“”; Domain=.zoom,us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly, zm_haid=“”; Domain=.zoom,us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly]
[2023-06-09 14:21:07,432] [ERROR] alt-svc : [h3=“:443”; ma=86400]
[2023-06-09 14:21:07,432] [ERROR] x-zm-trackingid : [v=2.0;clid=aw1;rid=WEB_b09315d925114f208da7d3fdc9634ece]
[2023-06-09 14:21:07,432] [ERROR] Content-Length : [46]
[2023-06-09 14:21:07,432] [ERROR] x-zm-zoneid : [VA]
[2023-06-09 14:21:07,432] [ERROR] Content-Type : [application/json;charset=UTF-8]
[2023-06-09 14:21:07,432] [ERROR] ---------------------------------------
[2023-06-09 14:21:07,432] [ERROR] response >>> {“code”:124,“message”:“Invalid access token.”}


Another Zoom integrator here. We see the same thing - currently a JWT integrator with plans to move to OAuth within the timeframe publicly established (as linked above). But sometime after 10:45PM ET we see NO new calls in the call log and our system also responds with an Invalid Access Token.


Yes, we started receiving the the same error since last night at 10:57 EDT
*{“code”:124,“message”:“Invalid access token.”}
Just wondering if there is any downside in Zoom API ?

@imaxsoft2 , @jharris1, @aalamour we’ll look into this and get back to you here with more information ASAP.

We found workaround by hardcoding the Zoom token in our code , but this is temporary solution until fix the issue in Zoom API.

@aalamour , what are the details of that hardcoded token? Previously created tokens are working, but newly generated tokens do not work?


I have got the token from developer account and make it expire after one week and hardcoded it in my code that calls Zoom API. So my call now use the same token eveny time calls Zoom API.

@aalamour can you share the function you’re using to generate the token that does not work?

@jharris1 @imaxsoft2 , we are continuing to investigate with our service engineering team. In the interim, from what I see, if you go to your JWT app and retrieve a token and use this manually, API requests will work. This should restore service.

Adding the key ‘manually’ is not an approach we can use easily with a compiled app that must go thru a QA/test/release cycle - and then have to be switched BACK after you implement your fix?!

1 Like

Understood completely, John. We’re still working on root cause, as we’re only seeing these issues on a small subset of accounts. I’ve sent you an email through your support ticket, if you can share additional details there, we’d greatly appreciate it.

In addition, we note that the typ parameter in the header and the ‘aud’ claim in the payload are different in the tokens that HAD been working from our application versus the ‘manual’ JWT token that your page in now generating.

OLD tokens

NEW tokens
typ is missing

Perhaps Zoom’s token generation and validation changed as a result of some code change?

After more research, we also notice that we had been sending quotes around the aud, exp, and iat claims, and your new tokens apparently don’t have that, which still might point to new validation logic on the Zoom side.


Yes , we have been using the standard token generation method in our code and it has been working fine until last night. since last night, we are started receiving the invalid token error. We already opened case with Zoom support and waiting the response.


It is the standard function mentioned in Zoom developer documentation that we have been using it since two years till date and it was working all the times. We didn’t make any change on it in our side. Wondering why Zoom API is not accepting it since last night. Was there any update on Zoom API or it is issue in the API ?


It looks like the issue was resolved based on the feedback we provided above. I look forward to Zoom’s RCA.

1 Like


Could you please share with me the link for this post ?

Zoom Status - A subset of users are unable to access zoom API with JWT tokens