Migration from validation token to secret token

I switched my webhooks to use the “secret token” for webhook event notification verification, but the verification is failing. Is there something I need to do to switch from the “verification token” to the “secret token”.

I saw one post that said both would be send, but I can’t comprehend how the signature that is sent would work as a hash for both tokens at once.

Do I need to clear out the “verification token” (is that even possible).

Hi @springy_screenshare
Thanks for reaching out to us and welcome to our Zoom Developer Community!
I am happy to help here!
Here is a link to a guide we have on verifying webhook events

Let me know if this helps

yeah i’ve looked at that doc and I am doing what it says (and it’s been working for years now), but there’s no info there about transitioning from the old key to the new key. I created the new key, I add it to my code, but… what causes the webhooks to change so they send the signature using the new key instead of the old one?

When creating your signature to validate webhook events, you should be using the secret token. We will stop sending the verification token soon

“Soon”, but right now I’m getting warnings from Zoom that my webhooks will stop getting sent because they aren’t validating since I switched to the secret token… Is there not some migration process that can be done?

So basically if you are able to validate your endpoint URL, you are using the secret token correctly then.
Are you able to validate your endpoint URL and receive events?

My endpoint URL is validated, its just since switching to the secret token that the webhooks events themselves don’t validate. I’m still not clear on how the webhooks themselves know to send a hash of the secret token rather than the old verification token.

I will send you a DM to look further into your account

Ok, so I updated the app webhook data so I could revalidate the webhook endpoint. That worked. Zoom says it’s valid and I see the 200 in my logs.

But when I start a meeting to trigger the “start meeting” webhook, I still see that the event webhook request is not validating. I reconfirmed that the hash is being generated correctly on my side.

This is the sample app that I use to test webhooks

So what you are saying is that the signature you are generating does not match the one returned in the headers?

Yeah the signatures don’t match. But my code is definitely using the right process to generate it from the key.

I tried deleting the event subscription and creating a new one. It validates but then the webhook event hashes still don’t match.

Do I need to completely recreate my Webhook Apps?

Not at all @springy_screenshare
I do not think you need to recreate them.
I would be happy to take a look at your code and help you debug.
Have you been able to run the sample app that I shared using your credentials?

Please follow up in the DM I sent