Webhook URL Validation

Format Your New Topic as Follows:

API Endpoint(s) and/or Zoom API Event(s)
Implementing CRC validation for “endpoint.url_validation”. Currently configured with multiple JWT Sub Accounts per environment to listen for Meeting and Recording Callback Events.

Description
For the CRC validation response, it states that the plain token in the request needs to be hashed using (HMAC) SHA-256 hash, which requires using secret token string. Our question is we have multiple JWT (sub) accounts setup by environment/campus, anywhere from two to five secret key configurations per environment. While processing this incoming request, how would we determine which secret token string to use for the hash?

Error?
N/A

How To Reproduce
N/A

Hi @kupadhyaya
Thanks for reaching out to the Zoom Developer Forum!
Before we start talking about the way to determine which secret token string you need to use to hash, I just wanted to mention that the JWT app will be completely deprecated by September 1st, so I would highly encourage you to start migrating from your JWT app to a Server to Server Oauth app

Hi Elisa,

Thank you for getting back to me. Yes, we just realized that we need to migrate our JWT apps before the September 1st deadline. We have started going through the migration documentation and will soon be starting that work to convert our apps to the server to server oauth apps in parallel.
However, are you saying that the webhook validation is not necessary? Isn’t there a window where webhook validation will be required and before we have to migrate from JWT apps? Also, I did find a post with a suggested solution to inspect the authorization header attribute value, which is currently the verification token and compare that against all subaccounts to determine which hashed value response needs to be returned to Zoom. Is this the correct approach?

Thanks,
Kedar