Missing x-zm-signature heading on recording.completed webhooks

Format Your New Topic as Follows:

API Endpoint(s) and/or Zoom API Event(s)
recording.completed Webhook Event

I am trying to update our verification flow to use the new “verify with zooms header” verification flow described in the link below. My endpoint is receiving the recording.completed webhook as expected, and currently works with the verification token flow.

However, I am in the process of updating this to using the new verification flow, but the required headers (x-zm-signature) is missing. In my marketplace app settings, I have enabled a value for Secret Token and Verification Token (Retires in October 2023).

Any ideas why this is and how I can fix this?

There’s internal logging that gets triggered when this expected header is missing.

Hi @mokutsu ,

Hmm this is indeed strange!

Do you mind showing a picture with the headers? Can you use something like https://pipedream.com/requestbin to verify not receiving the headers?

Hi Gianni, Thank you for the response, apologies for the late reply.

I ended up changing this verification flow to use the custom header flow because we were facing a couple other issues - however, I’m noticing this new custom header is now absent.

  1. Marketplace settings
    In the zoom marketplace app settings, I have set the configuration to send custom headers and clicked ‘saved’. When I refresh the page, these changes are persisted. Our new custom header is using the standard x-prefix custom header (ie To confirm, is this sufficient, or are there further steps required for these headers to be set (eg republishing the app or something?)? Screenshot attached for where in the UI this was updated with placeholder values for screenshot only.

  2. Our Application
    We have an internal upstream system that has an allow-list of headers and strips out unallowed ones. I have updated this system, and with postman, verified this new header reaches our application (I copied a real recording.completed webhook and set this new custom header). I am not really comfortable sending our webhooks to an external tool, because these webhooks are for recording.completed, and contains PII / is used in prod (we’re just updating the verification flow on an existing production flow). Would it be possible to verify on Zoom’s end that these headers are being sent? Sample screenshot of real webhook with the zoom trace ID attached (note the expected new custom header is absent).

Sample screenshot of the place in the marketplace App UI that was changed to set the custom header (the actual header/value are different).

sample screenshot of prod webhook headers in our application