Unexpected hashing algorithm used in the recording checksum

Hello Zoom Developer team!

We have a script that uses the Zoom Phone API to download recorded calls.
We do this in Python, through the download_url parameter that we get in the “Get call recordings” response (Zoom Phone API).

We make the request to download the recording, and the response has some headers, one of them being ‘Zoom-File-SHA256’, which we use to ensure that the file we downloaded is not corrupted.

We had an issue being flagged for the call with call_log_id = '96c95bae-1c69-49db-9668-c82df90cd9a4', where the checksum failed. We ended up realizing that, for that particular call, the hashing algorithm that was used was md5, instead of sha256, despite the checksum value being under the ‘Zoom-File-SHA256’ header.

Here is the error we logged upon finding this issue

16:39:57.872099000 [Error ] [zoom_phone_call_validator.zoom_phone_api_client] Checksum is not correct. SHA256 of recording: 9a50b3842cf9bef0f8a34106f4773b238be0adbe0717efd7769179706cbdfc52. API response header checksum: aa1565d842ee87567c0301bd74a72f23.

Is this expected behaviour? It was the only call that we have seen this happen with.

Please let me know if you need any more information from me.

Thank you in advance.

Best Regards,
Francisco Castanheira

Hi @franciscocastanheira ,

Can you please private message me with the following?

  • your developer email
  • application credentials used to make the request
  • the full API request/response
  • recordings.id and download_url of this call


Hello Gianni,

Can you clarify what you mean with “application credentials used to make the request”?
We are using OAuth, and therefore we have, an Account ID, Client ID, and Client Secret. But it sounds very sketchy to me to be sharing those. Am I misinterpreting something?

Also, I am not using my developer email for anything other than posting on this forum. Do you still need it?

Francisco Castanheira

@franciscocastanheira , just clarified via private message. I just need the client id used to make the request. Thanks!

Service engineering looking into this (ZSEE-103431, ZOOM-586960).

Hi @franciscocastanheira ,

Upon further investigation, I learned that we use MD5 when the file needs to be uploaded in parts to the file server.

A formal request has been made to use the same checksum formula (ZOOM-587214).

Temp workaround: If the length of the token is equal to 32, please use the MD5 algorithm for verification. If the length of the token is equal to 64, please use the SHA256 algorithm for verification.

Does this help?

Hello Gianni,

Thank you for clarifying!

We will use the workaround for now. Can you notify me when there is a resolution for the formal request?

1 Like