Validating access JWT signature


I was exploring the documentation at and following the steps to get an OAuth application going.

However, I wasn’t able to find the way to verify the signature of the token - what’s the key used to sign the JWT? I assume it’s a shared secret rather than a key pair (but if I’m wrong, is there a public key the Zoom publishes?)


Hi, @services2 ,

Thank you for posting in the Zoom Developer Forum. Can you share if you are looking to get started with Zoom Rest APIs or Zoom Meeting SDK?

Zoom Rest APIs use the access token and you do not need to validate the OAuth token.

OAuth with Zoom

Zoom Meeting SDKs use an SDK JWT for authorization and you can verify the format of the signature with a tool


Hi @donte.zoom

It’s Rest APIs.

I know we don’t need to validate the JWT but I would like to be able to - as a precaution since we’re storing the access token as well as refresh (ideally for the duration of its lifetime, but given our current implementation there are no guarantees about that) and on retrieval we would like to double check its integrity.


Can you share more details on the intended workflow? By default, the lifetime of an access token is 60 mins – so the validation will be handled on Zoom’s end. If any requests fail, the token is considered invalid, and the request will be rejected with 401 Unauthorized result. At what point do you want to check to double-check its integrity? Or is there a specific edge case in your workflow that you are looking to avoid or control better?