ZAK token stopped working for authenticating file downloads
Description
It looks like the zak token no longer provides permissions to authenticate downloads. Sometime between Thursday, June 17 (last successful file download authenticated with a zak token), and Monday, June 21 (download authentications started failing), it seems like there was a change to the zak token.
Error
Using a zak token to authenticate a download of a Zoom cloud recording file results in a 200 response with an HTML page that include the message “Only the host can download this recording. Please sign in to your Zoom account to download if you are the host.”
Which App Type (OAuth / Chatbot / JWT / Webhook)?
JWT
How To Reproduce (If applicable)
Steps to reproduce the behavior:
Select a cloud recording file to download and a user that has access to download this file
Request a zak token for the user with GET "users/{userId}/token?type=zak
Attempt to download the chosen file using the zak token by appending the zak token to the download link as a query param: GET “{download_link}?zak={zak_token}”
A successful request will respond with 302 and the requested file. A failed request will return 200 and an HTML page that includes an error message.
Additional context
We’ve searched through all the release notes for Zoom and the Zoom API around the timeline June 17-21, 2021 and we can’t find any changes relating to zak tokens or the endpoint GET “users/{userId}/token”. Our application that depends on the Zoom API was tested on June 17 and was fully functioning. We made no code changes and had a several hour outage on June 21 due to this observed change in the Zoom API.
Can someone from the Zoom API developers team confirm that a change was made to the zak token between June 17 and 21?
Also, can you come up with a process to announce breaking changes going forward?
That is, “only the host can download cloud recordings”.
If that doesn’t help, you can use the access_token or JWT token with the download URL to download the file:
Let me know if that helps to retrieve the file. We moved over to using an access_token a few months ago and it looks like that change was finalized recently.
Thanks @MaxM
We have already switched over to the download access token (this was the fix for our outage).
However, we are concerned that this change was not announced or documented anywhere that I can find. There’s no way to tell exactly which day this change was made because it isn’t in the release notes.
Since we didn’t know this change was coming, we hadn’t switched over to the download token yet, and as a result our application running in production was down for several hours.
Is this change documented anywhere that I missed? Do you have any advice about how we can find out about breaking changes like this going forward so that we can prepare for them and prevent an outage in our systems?
Thank you for clarifying. I’m not sure if we sent out communication for this but I agree that we should have. I’m talking with my team not to confirm if we sent anything out and then I’ll speak with them to make sure we’re on target in the future.
My apologies for the delay here. I was able to confirm that we did not send out communication for this change. We’ve been working to improve our developer communication and we have some action items that we are putting in place to make sure that we alert you of breaking changes.
Thank you again for your feedback, it helps to make sure that we stay on target and provide helpful updates to our developers.
