Hi @Patrick,
Thanks for reaching out to the Zoom Developer Forum!
I am happy to help here!
By looking at your code snippet, I am wondering if you are probably missing one step before validating your endpoint.
If you look into our Docs, to verify Webhook events the first step is receiving the event, followed by the second step which is constructing a message with the webhook request header x-zm-request-timestamp value from the payload you received.
https://marketplace.zoom.us/docs/api-reference/webhook-reference/#using-webhooks--omit-in-toc-
This message will be passed in your variable hashForValidate.
Here is a code snippet from our Docs that might be helpful for you:
const message = `v0:${request.headers['x-zm-request-timestamp']}:${JSON.stringify(request.body)}`
const hashForVerify = crypto.createHmac('sha256', ZOOM_WEBHOOK_SECRET_TOKEN).update(message).digest('hex')
const signature = `v0=${hashForVerify}`
if (request.headers['x-zm-signature'] === signature) {
// Webhook request came from Zoom
} else {
// Webhook request did not come from Zoom
}
We also have a sample app available :
Let me know if this helps and we can keep looking into this.
Best,
Elisa