What is the purpose of the signature?

Client Web SDK
#1

Description

I’m investigating using the websdk. And I have a minimal development setup working fine. I have a back-end endpoint to provide the signature. I also was able to hide the join link in the front-end thank to the answer web-sdk-hide-meeting-information.

Now my intuitive understanding was that a client can only join a room if it has access to a valid signature. And since my back-end has control over who gets the signature it has also control over who can join what meeting.

But then I noticed that the websdk (specifically ZoomMtg.join) also requires the meeting number and the meeting password (additionally to the signature). And my understanding is that the meeting number and the meeting password are enough to join the meeting (for example through zoom.us/j/<meetingNumber>).

Is my understanding correct?
What security benefit does the signature provide?

Thanks!

#2

Hey @Videda,

Thank you for reaching out to the Zoom Developer Forum.

Great question! When using the Web SDK, the signature authorizes the user to join the meeting with your API Key and encrypted API Secret.

There is a bit of duplication when it comes to adding the meeting ID to the ZoomMtg.join() function but they are ultimately for separate purposes.

For the users of your application, and when joining from a Zoom client, they should just need to provide the meeting ID and Password. Your application generates the signature with your credentials in order to join the meeting.

I hope that helps! Let me know if you have any questions.

Thanks,
Max

#3

Hey @MaxM
Thank you for your reply.

I am probably missing something. But users can join the meeting just using the meeting ID and password. So users can just avoid requesting a signature and still being able to join the meeting. So it would seem that the signature authorization can just be circumvented.

What am i missing here?

Thanks!

#4

Hey @Videda,

Thank you for your question. The signature is used exclusively for the Web SDK, it doesn’t apply to other clients. It is used by our SDK internally to authenticate and track requests from the SDK itself.

You’re correct in that if a user has the Zoom Client, Web Client, or Mobile App they would be able to join the meeting without creating a signature. This isn’t seen as circumventing the signature because the signature is only for the Web SDK.

Let me know if that clears things up :slightly_smiling_face:

Thanks,
Max