ZAK token stopped working for authenticating file downloads

ZAK token stopped working for authenticating file downloads

Description
It looks like the zak token no longer provides permissions to authenticate downloads. Sometime between Thursday, June 17 (last successful file download authenticated with a zak token), and Monday, June 21 (download authentications started failing), it seems like there was a change to the zak token.

Error
Using a zak token to authenticate a download of a Zoom cloud recording file results in a 200 response with an HTML page that include the message “Only the host can download this recording. Please sign in to your Zoom account to download if you are the host.”

Which App Type (OAuth / Chatbot / JWT / Webhook)?
JWT

Which Endpoint/s?
GET /users/{userId}/token

How To Reproduce (If applicable)
Steps to reproduce the behavior:

  1. Select a cloud recording file to download and a user that has access to download this file
  2. Request a zak token for the user with GET "users/{userId}/token?type=zak
  3. Attempt to download the chosen file using the zak token by appending the zak token to the download link as a query param: GET “{download_link}?zak={zak_token}”

A successful request will respond with 302 and the requested file. A failed request will return 200 and an HTML page that includes an error message.

Additional context
We’ve searched through all the release notes for Zoom and the Zoom API around the timeline June 17-21, 2021 and we can’t find any changes relating to zak tokens or the endpoint GET “users/{userId}/token”. Our application that depends on the Zoom API was tested on June 17 and was fully functioning. We made no code changes and had a several hour outage on June 21 due to this observed change in the Zoom API.

Can someone from the Zoom API developers team confirm that a change was made to the zak token between June 17 and 21?
Also, can you come up with a process to announce breaking changes going forward?

Hey @Zoom_Ingester,

First, please make sure that you don’t have the following checkbox selected under Account Settings:

That is, “only the host can download cloud recordings”.

If that doesn’t help, you can use the access_token or JWT token with the download URL to download the file:

image

image

Let me know if that helps to retrieve the file. We moved over to using an access_token a few months ago and it looks like that change was finalized recently.

Thanks,
Max

Thanks @MaxM
We have already switched over to the download access token (this was the fix for our outage).
However, we are concerned that this change was not announced or documented anywhere that I can find. There’s no way to tell exactly which day this change was made because it isn’t in the release notes.

Since we didn’t know this change was coming, we hadn’t switched over to the download token yet, and as a result our application running in production was down for several hours.

Is this change documented anywhere that I missed? Do you have any advice about how we can find out about breaking changes like this going forward so that we can prepare for them and prevent an outage in our systems?

Hey @Zoom_Ingester,

Thank you for clarifying. I’m not sure if we sent out communication for this but I agree that we should have. I’m talking with my team not to confirm if we sent anything out and then I’ll speak with them to make sure we’re on target in the future.

I’ll let you know what I hear.

Thanks,
Max

1 Like

@MaxM Great. Thank you for looking into it.

I’m happy to help out! No news just yet but I’ll bring this up during our team meeting if I don’t hear something soon.

I’ll let you know.

Max

Hey @Zoom_Ingester,

My apologies for the delay here. I was able to confirm that we did not send out communication for this change. We’ve been working to improve our developer communication and we have some action items that we are putting in place to make sure that we alert you of breaking changes.

Thank you again for your feedback, it helps to make sure that we stay on target and provide helpful updates to our developers.

Thanks,
Max