However, I wasn’t able to find the way to verify the signature of the token - what’s the key used to sign the JWT? I assume it’s a shared secret rather than a key pair (but if I’m wrong, is there a public key the Zoom publishes?)
I know we don’t need to validate the JWT but I would like to be able to - as a precaution since we’re storing the access token as well as refresh (ideally for the duration of its lifetime, but given our current implementation there are no guarantees about that) and on retrieval we would like to double check its integrity.
Can you share more details on the intended workflow? By default, the lifetime of an access token is 60 mins – so the validation will be handled on Zoom’s end. If any requests fail, the token is considered invalid, and the request will be rejected with 401 Unauthorized result. At what point do you want to check to double-check its integrity? Or is there a specific edge case in your workflow that you are looking to avoid or control better?