Missing x-zm-signature header in some received webhooks

Some received webhooks from our webhook only app do not have the “x-zm-signature” and “x-zm-request-timestamp” headers.

I don’t see a way to replicate it, since it doesn’t happen with every event, only with some, for example, some meeting.deleted events have it, and others don’t.

Examples of events without “x-zm-signature” header

{
   "event": "meeting.deleted",
   "event_ts": 1688449468835,
   "payload": {
      "account_id": "sLeC7OKESquD5lVVkEgwsQ",
      "object": {
         "host_id": "qOipRXjBQEmUK5BJweUzeQ",
         "id": 87120266029,
         "type": 2,
         "uuid": "YesHmIzVSsCTiRMVKSgz5A=="
      },
      "operator": "ZOOM"
   }
}

Headers

Accept-Encoding
gzip

Authorization
[Filtered]

Clientid
[Filtered]

Content-Length
226

Content-Type
application/json; charset=utf-8

Host
[Filtered]

User-Agent
Zoom Marketplace/1.0a

X-Forwarded-For
[Filtered]

X-Forwarded-Host
[Filtered]

X-Forwarded-Port
443

X-Forwarded-Proto
https

X-Forwarded-Server
61f878f253c4

X-Real-Ip
[Filtered]

X-Zm-Trackingid
v=2.0;clid=us02;rid=OP_00ced00a75474d5ba54601f3c75532dd


Events with “x-zm-signature” header

{
   "event": "meeting.deleted",
   "payload": {
      "account_id": "sLeC7OKESquD5lVVkEgwsQ",
      "operator": "ZOOM",
      "object": {
         "uuid": "wmijobq1RbugUFEd1YoW+g==",
         "id": 83726758862,
         "host_id": "HCRj4dGuSbiY80TbuDtnxg",
         "type": 2
      }
   },
   "event_ts": 1688449468835,
   "fingerprint": "22194afce96c8e9c6be7abe509180f42",
   "headers": {
      "accept-encoding": [
         "gzip"
      ],
      "x-zm-trackingid": [
         "v=2.0;clid=us02;rid=OP_00ced00a75474d5ba54601f3c75532dd"
      ],
      "x-zm-signature": [
         "v0=c0d3e216dd255dbde8dca22d4358b3e0c12aff1ffac0066847040eb2eae50862"
      ],
      "x-zm-request-timestamp": [
         "1688449468"
      ],
      "x-real-ip": [
         "134.224.191.0"
      ],
      "x-forwarded-server": [
         "61f878f253c4"
      ],
      "x-forwarded-proto": [
         "https"
      ],
      "x-forwarded-port": [
         "443"
      ],
      "x-forwarded-host": [
[Filtered]
      ],
      "x-forwarded-for": [
[Filtered]
      ],
      "content-type": [
         "application/json; charset=utf-8"
      ],
      "clientid": [
[Filtered]
      ],
      "authorization": [
[Filtered]
      ],
      "content-length": [
         "226"
      ],
      "user-agent": [
         "Zoom Marketplace/1.0a"
      ],
      "host": [
[Filtered]
      ]
   }
}
1 Like

We are facing a similar issue as well.

We raised a support ticket too but it was closed and we were redirected to make a post on this forum. We hope someone at Zoom can look into this issue.

I will post the content of our support ticket here for additional context:

We are trying to migrate our webhook verification to the new secret token mechanism as documented here:
Using webhooks

However, we are having the issue where even though some webhook headers do have the new x-zm-signatureand x-zm-request-timestamp headers, others do not.

An example of one such payload is the following (only some relevant fields for the investigation included):

“id”:“d51f55c71cf14a369276904e4fe7cab1”
“event”:“phone.recording_completed”
“date_time”:“2023-07-12T04:42:03Z”
“recording_type”:“Automatic”
“call_log_id”:“d51f55c7-1cf1-4a36-9276-904e4fe7cab1”
“call_id”:“7254787817105360776”

We would appreciate if you could look into this matter so that we can migrate to the new verification mechanism. Thank you very much.

link to our support ticket
https://support.zoom.us/hc/en-us/requests/17616742