OAuth and webhooks in multiple environments

I have 3 environments.

  1. https://example.com
  2. https://sub1.example.com
  3. https://sub2.example.com

I would like to use OAuth and webhook in 3 environments in one app.

To support all domains, should I set the Redirect URL for OAuth to “https://any.example.com”?
In addition, should I set “https://example.com” in Add allow lists?

Also, should I set “https://any.example.com/endpointurl” for the Endpoint URL of the Deauthorization notification?

Also, should I set “https://any.example.com/notification” for the webhook Event notification endpoint URL?

Hi @taki22

Thanks for reaching out to the Zoom Developer Forum, I am happy to help here!
Please refer to the Documentation here:

Hope this helps,
Elisa

Hi @elisa.zoom

Is there a way to set notification endpoint URL in development environment (https://sub1.example.com/notificationendpointurl) and production environment (https://example.com/notificationendpointurl) respectively?

If not possible, should I set the production environment’s notification endpoint URL (https://example.com/notificationendpointurl ) when reviewing the app?

If the development environment’s notification endpoint URL (https://sub1.example.com/notificationendpointurl) is not set, will this cause problems when reviewing or updating the app?

Hi @taki22

Thanks for sharing more details with me.
When you say notification endpoint URL, are you referring to the URL that will be receiving webhook events?

And when our team reviews the app, they do it with the Production credentials, since they will be reviewing the app as if they were the final users/customers so the development credentials are specifically for you for testing purposes.

Hope this helps,
Elisa

Hi @elisa.zoom

When you say notification endpoint URL, are you referring to the URL that will be receiving webhook events?

Yes, that’s right.
Of the webhook events, it is a deauthentication notification.
information > Deauthorization notification > Endpoint URL.

  1. I am asking whether it is possible to set the deauthentication notification endpoint URL separately in the development environment and the production environment.

  2. If it is impossible to set both in the development environment and the production environment, is the answer that if you set only the deauthentication notification endpoint URL in the production environment, you can pass the inspection without any problems?

And when our team reviews the app, they do it with the Production credentials, since they will be reviewing the app as if they were the final users/customers so the development credentials are specifically for you for testing purposes.

  1. At the time of the review, you answered that you would use the information of the production environment, but does Zoom use the information of the development environment?

  2. There is the following description in the APP settings.
    “Zoom will only use these credentials to test App Update requests.”
    We believe that Zoom will use the development environment information when updating the APP.
    If you set only the deauthentication notification endpoint URL of the production environment when updating the APP, will there be any problems such as failing the review?
    “Redirect URL for OAuth” or “Webhook Event notification endpoint URL”
    can set two information for development environment and production environment, but it is difficult to set because only one deauthentication notification endpoint URL can be set.

Hi @elisa.zoom

Do you think it will take a long time to answer?

Hi @taki22
I apologize for the late response.

About the previous questions you reached out about:

  1. I am asking whether it is possible to set the deauthentication notification endpoint URL separately in the development environment and the production environment.

You can use separate environments yes.

  1. If it is impossible to set both in the development environment and the production environment, is the answer that if you set only the deauthentication notification endpoint URL in the production environment, you can pass the inspection without any problems?

If the deauthentication notification endpoint URL is properly set up and working in the production environment there should be no issues with funcitonal testing.

  1. At the time of the review, you answered that you would use the information of the production environment, but does Zoom use the information of the development environment?

Our Marketplace team only uses development credentials once your app is published in the Marketplace and you are making an Update request to your published app.

  1. There is the following description in the APP settings.
    “Zoom will only use these credentials to test App Update requests.”
    We believe that Zoom will use the development environment information when updating the APP.
    If you set only the deauthentication notification endpoint URL of the production environment when updating the APP, will there be any problems such as failing the review?
    “Redirect URL for OAuth” or “Webhook Event notification endpoint URL”
    can set two information for development environment and production environment, but it is difficult to set because only one deauthentication notification endpoint URL can be set.

I am not sure I understand this last question. But there is only one Deauthentication notification endpoint and the Redirect URL for OAuth might be different for production and development. If you are submitting your app for review, our team will use production credentials.

Once your app is published and if you want to make an update, then the team will use the development credentials.

Hope this helps
Elisa

Hi @elisa.zoom

I’m asking again because the problem is still not resolved.

For development purposes, we need to set the deauthentication notification endpoint URL in development and production environments respectively.

Deauthorization notification > Endpoint URL
Production environment “https://example.com/endpointurl
Development environment “https://develop.example.com/endpointurl

However, only one Deauthorization notification>Endpoint URL can be set in the APP settings. Because there is only one input field.

If only one can be set, we plan to set the production environment information “https://example.com/endpointurl”.

As far as I can confirm the answer, the deauthentication notification endpoint URL (https://example.com/endpointurl) works normally, because the information in the production environment is used when conducting the APP review.
I think I will pass the examination without any problems.

However, in the future, if you make any updates to this APP and make an update request, the deauthentication notification endpoint URL (https://example.com/endpointurl) will be the information of the production environment.
It is not the development environment information (https://develop.example.com/endpointurl).
Is there a problem that the information is not in the development environment and the update request fails?
Or will the update request succeed without any problems even if it is information from the production environment?

Hi @elisa.zoom

Is my understanding correct?

Hi @taki22
Your understanding is correct.
The update request will be successful even if your deauthorization endpoint URL is set to the production environment.

Hi @elisa.zoom

Thank you for your kind response.
My doubts have been resolved.

I am happy to help :slight_smile: @taki22