Updating Webhooks > Lambda integration to support new authorization structure

I’d like to know if anybody has built any recent automations between Zoom Webhooks and Lambda, and might have an example of how to update it to the new authorization requirements for 2023. I have gone through the documentation, but still cannot manage to verify the endpoint URL from Zoom. My lambda function looks like what is below, any help is appreciated.

exports.handler = async (req) => {
  console.log(`endpoint hit at ${new Date().toDateString()}, see below:`);
  console.log(req);

  //validation
  if (req.event == "endpoint.url_validation") {
    console.log(`validation hit ${req}`);
    const hashForValidate = crypto.createHmac('sha256', process.env.ZOOM_SECRET_TOKEN).update(req.payload.plainToken).digest('hex');
    let response = {
      statusCode: 200,
      body: ({
        "plainToken": req.payload.plainToken,
        "encryptedToken": hashForValidate
      })
    };
    console.log(`response below...`)
    console.log(response);
    return response;

  //alert
  } else if (req.event == "zoomroom.alert") {

    let sendDoc = `${req.payload.object.room_name} reports: ${req.payload.object.issue}`;

    await sendSlackMessage(process.env.SLACK_WEBHOOK_URL, sendDoc);

    //generate reponse
    let response = {
      statusCode: 200,
      // body: JSON.stringify('This is my Zoom Webhook API endpoint')
      body: req
    };
  } 
      
    //generate reponse
    let response = {
      statusCode: 200,
      // body: JSON.stringify('This is my Zoom Webhook API endpoint')
      body: req
    };
  };

  return response;
}

Hi @Patrick,
Thanks for reaching out to the Zoom Developer Forum!
I am happy to help here!

By looking at your code snippet, I am wondering if you are probably missing one step before validating your endpoint.

If you look into our Docs, to verify Webhook events the first step is receiving the event, followed by the second step which is constructing a message with the webhook request header x-zm-request-timestamp value from the payload you received.

https://marketplace.zoom.us/docs/api-reference/webhook-reference/#using-webhooks--omit-in-toc-

This message will be passed in your variable hashForValidate.

Here is a code snippet from our Docs that might be helpful for you:

const message = `v0:${request.headers['x-zm-request-timestamp']}:${JSON.stringify(request.body)}`

const hashForVerify = crypto.createHmac('sha256', ZOOM_WEBHOOK_SECRET_TOKEN).update(message).digest('hex')

const signature = `v0=${hashForVerify}`

if (request.headers['x-zm-signature'] === signature) {
  // Webhook request came from Zoom
} else {
  // Webhook request did not come from Zoom
}

We also have a sample app available :

Let me know if this helps and we can keep looking into this.
Best,
Elisa

1 Like

Thank you, Elisa. I got this authentication flow figured out.

Amazing!! @patrickgi
Please feel free to reach out back again if you need anything from us!

1 Like