Zoom webhook validation event missing app's clientid header

rsahu · February 6, 2023, 4:28am

We are implementing webhook validation as documented here https://marketplace.zoom.us/docs/api-reference/webhook-reference/#validate-your-webhook-endpoint, the but validation event request does not contain the app’s clientid header like actual webook event request.
We use the clientid in the header to identify correct the Secret Token. This is needed because we support customer created apps in their zoom organization. Webhook event request header - https://marketplace.zoom.us/docs/api-reference/webhook-reference/#request-headers

elisa.zoom · February 6, 2023, 9:40pm

Hi @rsahu
Thanks for reaching out to the Zoom Developer Forum and welcome to our community, I am happy to help here!

I believe this is the expected behavior, once you validate your endpoint, all the events will include the client ID in the headers

rsahu · February 8, 2023, 6:18am

Hi @elisa.zoom ,
I am trying to find a way to handle multiple zoom apps webhook validation request.
How to differentiate webhook validation request to select correct secret token from databse.

rsahu · February 9, 2023, 12:46pm

Hi @elisa.zoom , Do you have any update.

elisa.zoom · February 9, 2023, 8:41pm

Hi @rsahu
I see. If I understand this correctly, you would have to set up independent validations for your apps

Here is a link to our sample app that demonstrates how to implement the URL validation:

Hope this helps,
Elisa

berk · February 11, 2023, 7:59pm

I don’t think this is what he’s asking, and we have the same issue… We have two apps on the Zoom marketplace that have the same functionality using the same webhook endpoints, except one is an account level app and the other is a user level app. We need the client id to be passed to determine which secret token we should use in validating the webhook endpoint. While the documentation says that clientid will be present in the request header, it isn’t in validation calls. This is a bug that needs to be fixed.

berk · February 11, 2023, 8:06pm

@rsahu Our workaround at the moment is to rely on the verification code passed in the Authorization header. This is not ideal, as verification codes will be deprecated in October 2023, but this is currently the ONLY way one can identify which app is requesting the validation. This should be a simple fix for Zoom to implement honestly, so would definitely appreciate if @elisa.zoom could bring visibility to the issue. Thanks!

elisa.zoom · February 13, 2023, 9:28pm

Thank you for chiming in here @berk
I will pass this feedback along with my team and will come back with updates

Topic		Replies	Views
"endpoint.url_validation" Webhook event missing "clientid" header API and Webhooks api	4	468	February 21, 2024
Missing clientid Header Chat webhooks , api	7	521	February 1, 2023
Handle webhooks secret token verification with many accounts Meetings webhooks	3	631	June 20, 2023
For JWT app, What is client Id and how can I get it using API API and Webhooks	2	338	July 3, 2022
Authenticate webhook POST from Zoom API and Webhooks	8	3047	August 21, 2020

Zoom webhook validation event missing app's clientid header

Related Topics