Webhook verification failed due to special characters in payload

We have recently integrated Zoom WebHook validation process at our application end.
We followed the process mentioned in official documentation :

Verify Zoom Web Hooks

Everything worked fine & we are able to successfully validate the calls received from Zoom Webhook.

But signature validation fails in very specific scenarios - in case of meeting related events :

Our Observation during failure :

  • Meeting contains external participants (outside our company)
  • Those external participants have special characters like emojis in their name,
    e.g. Elie Guez - ChoYou :flamingo:, Ahad :notes: etc.
  • External participant’s email is missing from payload

Please help.

Hi @rahul.bhooteshwar
Thanks for reaching out to the Zoom Developer Forum, I am happy to help here!
So, let me just confirm if I am understanding correctly.

You are generating the signature to validate the webhook correctly (with the Zoom secret token), but this signature is invalid when these 3 scenarios are in place:

  • Meeting contains external participants (outside our company)
  • Those external participants have special characters like emojis in their name,
    e.g. Elie Guez - ChoYou :flamingo:, Ahad :notes: etc.
  • External participant’s email is missing from payload

Are you generating the signature like this:

const crypto = require('crypto')

const message = `v0:${request.headers['x-zm-request-timestamp']}:${JSON.stringify(request.body)}`

const hashForVerify = crypto.createHmac('sha256', ZOOM_WEBHOOK_SECRET_TOKEN).update(message).digest('hex')

const signature = `v0=${hashForVerify}`

if (request.headers['x-zm-signature'] === signature) {
  // Webhook request came from Zoom
} else {
  // Webhook request did not come from Zoom
}

@elisa.zoom yes that’s correct.
I am using exactly same code for verification.
It works fine all the times except the scenario mentioned.

I don’t know if all those 3 conditions are responsible for the failure or just one of those (most probably user name with special characters).

I guess it is not applicable for our internal users as their names are proper alphabetical words & contains no emojis. But external meeting participants have their choice of names (containing these emojis).

Please let me know if anything else is needed from my side.

This is a critical issue for our integrations. Please help.

Thanks for confirming this @rahul.bhooteshwar

Allow me some time to do some testing on my end and I will come back to you with an update shortly.
Best,
Elisa

Hello @elisa.zoom ,
Did you get a chance to test and confirm this behaviour?

Hi @rahul.bhooteshwar
Thank you for your patience while I troubleshoot this on my end
Unfortunately, I have not been able to replicate this behavior.
I will go ahead and send you a private message so we can exchange more information

Best,
Elisa