Verify Webhook is failing (signatures don't match)

agebold · December 4, 2024, 8:36pm

API Endpoint(s) and/or Zoom API Event(s)
Zoom webhook verification

Description
I have verified the url used for Zoom to send webhook messages to my server but the verification of each webhook message is failing because the signature generated does not match the signature provided. I am following the instructions and code provided in the documentation verbatim and the string generated for the signature is not the same.

I suspect there is some order that the JSON body needs to be converted to a string or a variable that’s missing because the rest of the conversion is constant.

How To Reproduce
Currently I have events sent for meeting start, meeting end, participation joined and participant report available events. These are all failing the webhook verification.

elisa.zoom · December 6, 2024, 2:59pm

Hi @agebold
Thanks for reaching out to us and welcome to the Zoom Developer community!
Can you try to run this webhook sample app and verify whether you are still getting this error?

freelancer.nak · December 6, 2024, 7:10pm

@agebold

Hello, I hope you’re doing well. Below is a working NodeJS sample:

import { HttpStatusCode } from 'axios';
const crypto = require('crypto');

export class WebhookVerifier {
    // Method to verify the signature
    static verifySignature({ zmSignature, zmRequestTimeStamp, body }) {
        const message = `v0:${zmRequestTimeStamp}:${JSON.stringify(body)}`;
        const hmac = crypto.createHmac('sha256', process.env.ZOOM_EVENT_VERIFICATION_SECRET);
        const computedHash = hmac.update(message).digest('hex');
        const signature = `v0=${computedHash}`;

        // Compare computed signature with Zoom signature
        return signature === zmSignature;
    }

    // Method to process the webhook verification response
    static async verifyEventEndpoint({ plainToken }) {
        try {

            const secret = process.env.ZOOM_EVENT_VERIFICATION_SECRET;

            // Encrypt plainToken
            const encryptedToken = crypto
                .createHmac('sha256', secret)
                .update(plainToken)
                .digest('hex');

            return {
                status: HttpStatusCode.Ok,
                payload: {
                    plainToken: plainToken,
                    encryptedToken: encryptedToken,
                },
            };
        } catch (error) {
            console.error(error);
            return { status: 500, message: 'Internal Server Error' };
        }
    }
}

If still any query please ask.
Thanks

freelancer.nak · December 7, 2024, 4:20pm

@agebold

Please make sure to use the raw body of the webhook payload instead of the direct body.

Topic		Replies	Views
Signature Verification Issue with Webhook API and Webhooks	5	881	May 13, 2024
Unable to verify zoom's web hook request with Zoom's header API and Webhooks webhooks , recording	16	911	July 18, 2024
Event notification endpoint URL - URL validation failed. Try again later Webhook Only App Webinars	22	6813	November 16, 2023
Verify Zoom Webhooks using a CloudFlare Worker API and Webhooks	11	873	February 21, 2024
Integration Of User sign In webhook API and Webhooks htq , dc	5	1179	August 21, 2020

Verify Webhook is failing (signatures don't match)

Related topics