Hey @tsykul, @nathan.arora, @alon, @roy, @shane.zoom, @ps40,
Here are updates on the Invalid Token bug:
Conditions: This problem can arise when a token is granted and then
immediately used to call a Zoom API endpoint. The server that issues
the new token sets the nbf (not valid before) time to be the time
“exactly now.” But not all servers at Zoom have synchronized
clocks. If the token is immediately used for an API endpoint that is
on a different server, that server’s local clock may be up to a second
too slow, with a time before the token’s nbf time, causing the server
to reject the token.
This bug applies to:
- All token requests: Both original token grants, and refresh grants.
- All tokens: that includes JWT tokens, as well as OAuth tokens of
both grant types: authorization_code and client_credentials.
Reproducibility: This problem is either 0% or 90% reproducible: it
depends how the Zoom load balancer forwards API requests to Zoom
servers. It can happen either all the time, or not at all, depending
on your source IP address.
Fix time: We will have a fix that will roll out in an upcoming release.
Work-around: After acquiring a token, wait 1 second before using it.
Thanks,
Tommy