As a part of our continuing efforts to improve the security of Zoom OAuth App Types using Authorization flow, we are removing the ability to set the access tokens, refresh tokens and revoke tokens in the URL query parameters. This change will take effect on February 2023. It is strongly recommended that you update your API calls to set the token values in the Authorization header and not the HTTP query parameters. Failure to do so will result in rejected API calls and a reduced functionality for your application. If you are not the technical point of contact, it is strongly recommended that you forward this message to the appropriate party.
Yes it does. You would need to put the access_token in the ‘Authorization’ header for the request. In the curl example, you would have to use the output flag, i.e, --output /path/to/download.file.
@shariq.torres
Is this only for access_token and refresh_token?
Will it also apply to client_id and client_secret, or can those still be passed through url query parameters?
Hi @shariq.torres ,
We are using following format for generate / refresh / revoke access tokens.
Are these still okay to use? As we are requesting the API by sending user details in request body and the authorization header has only client and secret id.
Hello! What does this even mean? I am not a tech person and although the email stresses that we forward the notice to the appropriate technical contact, we do not have one. Can anyone tell me if this will impact me?
We use Zoom for meetings nationally and internationally. We have the PRO Version of zoom. And, when I called tech support, I was hung up on by the computer system (not by a person) twice so I could not get through. Thanks
@shariq.torres Thank you for your prompt reply to my previous question.
I have two follow up thoughts:
It appears that the email notification for this change went to the wrong list of users. I did not receive this notice on any of my Zoom Developer Accounts, I only received the email notification on my end user accounts.
4 days is impossibly short notice. The last notice I saw about this was on February 23, 2022 (Announcements) when it was said “At a date to be determined, we will make these features mandatory. We will notify you in advance of this date.”
Most anyone will need more than 4 days to make a change of this magnitude. Was your original forum post the advanced notice?
There was another email communication that was sent in May of this year as well as an another email in August. There was also the announcement that you linked. I believe around spring time, the documentation was changed to reflect sending access_tokens via the headers.
From the pushback we have received, I think the assumption was that developers had already made these changes. That obviously was a bad assumption. I’m working with some of the stakeholders to see what options we have going forward, but I won’t have an update until tomorrow.
If you use the Zoom APIs for your application, then you are affected. Do you have the contact of the developer(s) that made your application? They would be the appropriate party to forward this info.
One way you can verify if you use Zoom APIs is to log in to Zoom Marketplace and check if there are any API Call logs. Here is a screenshot of what that page looks like :
(BTW, no one at our organization seems to have received the May or August email notifications. Though, we did receive the email notification sent on Monday, Nov. 14.)