OAuth app security


We are about to publish an OAuth app to allow users to authorize us to access their data via Zoom api.
When one of our user tries to install our app we get the authorization request right - how do we ensure that this request is actually coming via Zoom from a valid user? Just want to make sure that this is not a bad player who is sending random requests to our app.

I am looking for something similar to de-authorisation request where we can verify if the request was from zoom using the secret_token. Do we have something like this during installation as well? Or is there any better approach? Please help.

1 Like

Thank you for posting in the Zoom Developer Forum – I am happy to help. See my comments below:

One way to ensure the request comes via a valid user from the provided pre-approved endpoints URL. In the Marketplace OAuth app, you can add unique URLs that Zoom should allow as valid redirect URLs for your OAuth flows. This additional security measure ensures that users are only redirected to the provided pre-approved endpoints. This is a required step to secure your app and prevent unwanted tampering with your app as it is added to your account. To minimize the risk of sensitive data leakage, only include the URLs you provided in the Add allow lists field.

OAuth 2.0 authorization protocol is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. To learn about this topic, I’ve linked some additional resources you may want to check out below.

With regards to your second question, OAuth apps are provided with a verification token found on the Features page of the app’s Dashboard. Every time a user uninstalls or deauthorizes your App, the App Deauthorization event is triggered. The header of the POST response will contain a property called authorization which stores your app’s verification token. You can compare the verification token received in the header to that of your app (retrievable via Marketplace >> Manage >> {YourApp} >> Features ) to ensure that the request is being sent by Zoom. For more information on Deauthorization, see our support documentation here.

Please let me know if this helps.

Helpful Resources



Thanks @donte.zoom for your reply.
I understand the usage of verification token(or secret token) during de-authorization and we have been using it in our de-authorization flow of the app.
We have also added the pre-approved urls to the allow list in the app.
So is this enough to ensure the standard security of the app?
My question was about the usage of verification token(or secret token) during install request as well. Is there a provision for this?

This topic was automatically closed 368 days after the last reply. New replies are no longer allowed.