Verification Tokens in Event Subscription

I am reading the ## Verification Tokens in

It seems that the Verification Token is just a text string. Does it mean to verify it by just doing string comparison?

Also how this token be protected over the wire? How to we prevent the token is fished by some bad guy? Do we need to regenerate the token periodically for the sake of protection?

Also, we want to whitelist the Zoom URLs that posts the events to our endpoints. It is Zoom URL always ‘’. If it is always, how we know the URLs in advance for whitelist configuration?

Thank you in advance for the help.

Hey @heidi.zh.n,


It is just a text string and it is protected by SSL because all of our requests are sent using HTTPS.

The token is sent by Zoom’s server to yours, it never touches the Zoom frontend so there is no way it could be fished. However, you can always regenerate the token to your liking.

I believe the domain name is not exposed in the requests, but you may be able to whitelist an IP.