[OAuth App] Deauthorization webhook requests missing verification headers (Authorization / x-zm-signature)

Dear Zoom Developer Support,

We have an OAuth app published on the Zoom App Marketplace and receive app deauthorization notifications at our Deauthorization URL. We are unable to verify these requests because the webhook payload does not include the headers required for verification. As a result, we respond with HTTP 400 and do not run our deauthorization logic (e.g. removing the user’s Zoom integration on our side).

**What we see**

- When a user uninstalls our app from their Zoom account, we do receive a POST request at our Deauthorization URL.

- The request does **not** include an `Authorization` header.

- The request also does **not** include `x-zm-signature` or `x-zm-request-timestamp` headers.

- We therefore cannot verify the request using either method described in your documentation (Authorization header with verification token, or HMAC verification with x-zm-signature). For security reasons we currently reject the request with 400.

**What we need**

1. Can Zoom include either (a) the `Authorization` header with our verification/secret token, or (b) the `x-zm-signature` and `x-zm-request-timestamp` headers, when sending the **app_deauthorized** webhook to our Deauthorization URL?

2. If yes, is there a setting we must enable for our app (e.g. “Authentication Header Options” or “Token Authentication” for webhooks)? If so, please tell us where to find it (e.g. Build App → Features → Access / Event Subscriptions).

3. If this is a known limitation or bug on Zoom’s side for deauthorization events, please let us know the recommended workaround (e.g. whether we should relax verification temporarily or wait for a fix).

we received to below

Our endpoint already supports both verification methods; we only need Zoom to send one of them so we can verify the request.

Thank you for your help.