I am in the process of submitting my Zoom OAuth app, and in the security reviewing, the reviewer stated that my old version of the API is exposing sensitive information
The old version of the API creates new scheduled meetings on my Zoom account and using custCreate with a JWT app for all my end users by returning the start_url to the person who creates the meeting from my app and the join_url to whom ever the host sends it to.
The reviewer stated that the zak query param which is an encoded JWT, can be decoded to expose Zoom account information like zm skm in the headers and uid in the payload.
I have asked the reviewer that the zak is part of the start_url sent in the response of the meeting creating Zoom endpoint and it needs to be there so we can redirect the user who creates the meeting to Zoom as a meeting host.
And I am not sure what kind of bad things people can do with the decoded JWT. The reviewer takes a bit of time to reply, so that is why I am asking here. What should I do to unblock the reviewing progress ASAP? I need this app published ASAP, because I am running late on the deadline, so getting fast replies is really critical.
Please note that the reviewer has asked for the above details to my old API which is using the JWT app, and not the new API which is using the OAuth app, which is the one I am trying to publish.