Webhook url validation failing for a REST endpoint created using AWS Amplify and handled using AWS Lambda

I’m trying to validate a webhook URL but its not succeeding. I can’t give the exact endpoint URL, but its something like this: https://$$$execute-api.us-east-1.amazonaws.com/env/endpoint-url

This is a REST endpoint which I created using AWS Amplify (using amplify update api command of the Amplify CLI). The http requests sent at this endpoint is handled by a lambda function which I created for this purpose. In the lambda, I’m handling the event of url_verification by creating the HMAC-SHA256 hash as following (similar to the steps described here: https://github.com/zoom/webhook-sample/blob/master/index.js)

body = JSON.parse(event.body);
if (body.event === "endpoint.url_validation") {
        const hashForValidate = crypto.createHmac('sha256', ZOOM_WEBHOOK_SECRET_TOKEN).update(body.payload.plainToken).digest('hex');

        const response = {
            message: {
                plainToken: body.payload.plainToken,
                encryptedToken: hashForValidate
            status: 200

        console.log("Generated url validation response:", JSON.stringify(response, null, 5));
        return response;

Still I’m getting failed URL validation. How do I get it working? Do I need to do something different when working inside an aws lambda function?

@chunsiong.zoom Can you help me here?

@aayush do you see the incoming request from Zoom when you click the validate button?

Yes I can see the incoming request from zoom. But not at the place where I click the validate button. I’ve added a console.log in my lambda function which outputs the event received (which is basically the entire HTTP data sent over on my REST api by zoom). I can see that payload inside the CloudWatch Logs, which basically stores all the output of my lambda, separated out based on different invocations at different times.

In short, yeah I can see the payload which is sent by Zoom, but not at the place where the validate button is shown to me.

Can you confirm that the ZOOM_WEBHOOK_SECRET_TOKEN is correctly configured and matches the secret token provided by Zoom. The HMAC-SHA256 hash generation should use the exact secret token without any modifications. If this does not work, let me know some timings that would work for you starting next tuesday, would love to jump on a meeting to debug this. I will be in IST though

Yes. I can confirm that the zoom webhook secret token which I’m using is the same as shown to me in the webhook url validation page. I copied and pasted it in plaintext in my lambda (since, I was only testing it).
I’m available on Dec 12th (coming Tuesday)… from 12PM to 2PM, then from 4PM to 7PM (all times in IST). Would be very helpful of you if we can resolve this on a call.

Thanks a lot.