I have a zoom oauth app that uses webhook events. Tonight, I tried to regenerate the webhook verification token, but I discovered, even almost an hour after regenerating it, my app is still receiving the old verification token.
One one hand, this makes it easier to rotate the tokens. If the old one is still valid, then I can check both tokens temporarily. On the other hand, the page doesn’t mention this, so if you did the simplest thing of just swapping the token in your app (like i did). Your app would be broken. There is no mention how long the old token is valid on the page. How long is it active?
It seems like it would be best if you could generate a new token (oauth token too) while leaving the old one active, but then had a button to eventually deactivate the old one, when you were ready.