Verification Tokens in Event Subscription

heidi.zh.n · March 18, 2020, 4:28pm

Description
I am reading the ## Verification Tokens in https://marketplace.zoom.us/docs/guides/authorization/credentials

It seems that the Verification Token is just a text string. Does it mean to verify it by just doing string comparison?

Also how this token be protected over the wire? How to we prevent the token is fished by some bad guy? Do we need to regenerate the token periodically for the sake of protection?

Also, we want to whitelist the Zoom URLs that posts the events to our endpoints. It is Zoom URL always ‘https://zoom.us’. If it is always, how we know the URLs in advance for whitelist configuration?

Thank you in advance for the help.

tommy · March 18, 2020, 10:26pm

Hey @heidi.zh.n,

Correct.

It is just a text string and it is protected by SSL because all of our requests are sent using HTTPS.

The token is sent by Zoom’s server to yours, it never touches the Zoom frontend so there is no way it could be fished. However, you can always regenerate the token to your liking.

I believe the domain name is not exposed in the requests, but you may be able to whitelist an IP.

Thanks,
Tommy

Topic		Replies	Views
Can't find a verification token for Server-to-Server OAuth app Authentication webhooks , oauth	8	642	June 22, 2022
Oauth verification token for Deauthorization API and Webhooks faq	5	1183	October 15, 2021
Cannot use secret_token to validate deauthorization event Authentication webhooks	2	491	June 12, 2023
OAuth App Submission -- Deauthorization URL App Submission	3	454	January 11, 2023
Verifying authorization token in deauth webhook API and Webhooks	2	698	May 23, 2021

Verification Tokens in Event Subscription

Related Topics