[Security Update] No token values in URL query parameters

Thank you for listening to the audience and rallying the Zoom troops to push back this update. Really appreciate the team effort to ensure all of our customers can continue using Zoom and our own services. Hope you have a great weekend @shariq.torres

1 Like

Hi Alyssa,

Zoom APIs is more of a developer type of functionality within Zoom. If your organization is simply using the Web UI to generate meetings then this change will have no effect on your account.



If I understood well, below way of working is the right way.

Can somebody confirm this?

Can somebody also post a code snippet of how it should NOT be?
Just for my reference and this would also give other people a more clearer view on what they might be doing wrong from Feb23.


1 Like

As others have already said, I need to get a list that I can follow or subscribe to in order to receive ALL notification.
I thought totally ready for to get all notification because I was input my email address in the input field in various pages. (but couldn’t…)

@shariq.torres , @donte.zoom

Hi guys, can you please confirm if this update will affect the following endpoints:

  1. OAuth with Zoom (Refresh Access Token API)
  2. OAuth with Zoom (Revoke Access Token API)

@shariq.torres thanks again for your responsiveness on the issue that was raised here.
Could I please check in with you again on the above question? Is there a specific page we should be checking or notification we should sign up for to be notified of breaking changes? I’m still not quite sure how to distinguish this big stuff from all of the more minor maintenance work that Zoom teams are constantly performing.

Make sure the developer contact for application that you have on the Zoom Marketplace is up-to-date. We usually send emails to the account owners and any administrators the admin has delegated. You can also sign up for the developer newsletter here: https://developers.zoom.us/.

Frederik, this is absolutely correct. This is an example in Python

You can read more about this on the docs where they give an example as well: https://marketplace.zoom.us/docs/guides/auth/oauth/#using-an-access-token

Is it this area?
I’ve already entered in Server-to-Server OAuth, JWT, Meeting SDK but did not receive it.

Yes, that is where you would enter your developer contact information. Are you the account owner or an administrator on the account?

I’m administrator on the account. Not owner.

Thanks for confirming, it sounds like this communication was sent out in a different manner. To make sure that you’re up-to-date on platform changes I recommend subscribing to our newsletter as well.

Was this change rolled out early instead of Feb 2023? We found this response in our logs when our (admittedly old) application called the service https://api.zoom.us/v2/users/{userId}/token .

{"code":124,"message":"Invalid access token, this access token is not supported as query parameter string."}

Aha, we think that free accounts are using the stricter access token handling, while paid accounts are using the permissive one that will be blocked on Feb 2023.

There should be no difference between the free accounts and paid accounts in how access token values are handled. Let me check with some of the engineers. But in general, all access tokens will have to be sent via request headers come Feb 14th, 2023.

You’re right. After testing with more accounts, we found that most don’t encounter the error but a handful do have that "Invalid access token, this access token is not supported as query parameter string." error.

After speaking with the engineers, it does seem that the free tiers have had this implemented already. The paid accounts will have some more time and they will be enforced Feb 14th, 2023

Thanks, that clears things up.

Can you please verify that refresh token endpoint still receives refresh_token as query param according to docs? (https://marketplace.zoom.us/docs/guides/auth/oauth/#refreshing-an-access-token)

If it’s not the case following this change, can you please provide the way to do so or update the docs?

Do you know if those calls can be from a marketplace app? If that is the case, will Zoom verify that marketplace apps follow the procedure?

The only apps the client should be responsible for are the ones they created, correct? In other words, users should check if there are any created apps first. If there are none, then the client shouldn’t be responsible for the validity of API calls from a marketplace app. And, hopefully not have to worry about this if Zoom is verifying marketplace apps are compliant.