Zoom webhook verification token not regenerating?


I have a zoom oauth app that uses webhook events. Tonight, I tried to regenerate the webhook verification token, but I discovered, even almost an hour after regenerating it, my app is still receiving the old verification token.

One one hand, this makes it easier to rotate the tokens. If the old one is still valid, then I can check both tokens temporarily. On the other hand, the page doesn’t mention this, so if you did the simplest thing of just swapping the token in your app (like i did). Your app would be broken. There is no mention how long the old token is valid on the page. How long is it active?

It seems like it would be best if you could generate a new token (oauth token too) while leaving the old one active, but then had a button to eventually deactivate the old one, when you were ready.

Hey @scottjg,

That is strange, it should be updated right away. What is the name of your OAuth App so I can debug?

Are you still seeing the old verification token being sent with the webhooks?


The app is called Rewatch.

It’s really hard to know, since this is in our production environment and I’d really prefer not to leak credentials into our logging infra. If it was possible to roll these credentials in a way that wasn’t disruptive (i.e. keep one old token while setting up the new one) then I would be more comfortable rolling it again. I will try to get this information though. Maybe I’ll just log the last 4 chars or something.

FWIW, I only tested the auth/deauth flow. So the webhook that was using the old token was the one being sent when the app was uninstalled from the zoom marketplace.

Hey @scottjg,

If you’d like, we can move this conversation over to a private email thread: developersupport@zoom.us.


thanks tommy-- i sent an email just now

1 Like

Thanks @scottjg,

Ojus or I will help you there! (ZOOM-171684)