I have a zoom oauth app that uses webhook events. Tonight, I tried to regenerate the webhook verification token, but I discovered, even almost an hour after regenerating it, my app is still receiving the old verification token.
One one hand, this makes it easier to rotate the tokens. If the old one is still valid, then I can check both tokens temporarily. On the other hand, the page doesn’t mention this, so if you did the simplest thing of just swapping the token in your app (like i did). Your app would be broken. There is no mention how long the old token is valid on the page. How long is it active?
It seems like it would be best if you could generate a new token (oauth token too) while leaving the old one active, but then had a button to eventually deactivate the old one, when you were ready.
It’s really hard to know, since this is in our production environment and I’d really prefer not to leak credentials into our logging infra. If it was possible to roll these credentials in a way that wasn’t disruptive (i.e. keep one old token while setting up the new one) then I would be more comfortable rolling it again. I will try to get this information though. Maybe I’ll just log the last 4 chars or something.
FWIW, I only tested the auth/deauth flow. So the webhook that was using the old token was the one being sent when the app was uninstalled from the zoom marketplace.