Webinar Registration Webhook sending record data that my user doesn't have access to

API and Webhooks
1

Hello,

I created a webhook for webinar registration creation and cancelation. I connected it to Workato and began testing. The tests showed data that I could not see in my Zoom account. They could have been a different account that was connected to my company’s account; however, I could not see those specific records.

I will also note that zero of my test data actually came through the webhook. At first this was an automation issue; however, now I’m concern about the security of these events and how they are being published. What do you recommend?

1 Like
2

For clarity:

  1. We have multiple Event Hubs in our company’s Zoom account.
  2. We have create a user (UserX) with access to only one of these hubs.
  3. We created a Webhook app under UserX to receive registrant creation and cancelation events.
  4. The listener then received events from a different event hub that UserX does not have access to.
  5. It never received events from the event hub UserX does have access to.

Curious if anyone else has observed these security flaws in Zoom’s webhooks or if it is just us.

1 Like
3

Hi @lvb and @KevinNelson
Thanks for reaching out to us and happy to look further into this
Could you please clarify what app type you’re using and which account it was created under? To receive events successfully, the app needs to be created under the same account for which you want to receive webhooks.

When creating event subscriptions, make sure to specify whose events you want to receive ( this will vary according to the app type)

Screenshot 2025-07-31 at 4.14.28 PM
Screenshot 2025-07-31 at 4.14.28 PM880×330 20.3 KB

1 Like
4

Hi @elisa.zoom, thank you for chiming in here. We selected “All Users in the account and subaccounts” hoping to detect my test records. Even with this selected, we did not detect my test records.

1 Like
5

Thanks @KevinNelson
I will send you a DM so I can take a closer look to your setup

6

Circling back here to tell the community what we learned.

The security concern was resolved by understanding that the user’s permissions did not have permissions to see other event and webinar records outside of Zoom’s Event Hub. The data we expected was actually a Zoom Ticket rather than a Webinar Registration, which played into the permissions of our integration user.

Another lesson learned is that Zoom Tickets in Zoom’s Event Hub equal Zoom Webinar Registrant records in the Salesforce managed package. The parent-child data model in the Salesforce managed package starts at the top with a Zoom Event > Zoom Webinar > Zoom Webinar Registrant. Zoom’s data model starts at the top with a Zoom Event and has Zoom Tickets rollup under Zoom Events. Zoom Tickets have a Session ID that tie to a Zoom Webinar in the SFDC managed package. We had to redraw our logic once we understood this, and we were able to make the sync work.

2 Likes
7

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.