Zoom Webhooks Specs | Examples| How to integrate

Zoom uses webhooks to notify third-party apps of events such as Meetings, Webinars,Recordings, User Activity, Billing, and Chat Messages created

Specifications	HMAC Authentication Replay Prevention: ✅ Forward Compatibility: ✅ Zero Downtime Rotation: ❌
Supported Events	Official Doc ↗
Security Headers	Signature Header: `x-zm-signature` Hash: sha256 Encode: hex payload: `v0:timestamp:request_body` Timestamp Header: `x-zm-request-timestamp` Timestamp Format: Unix Date
Documentation	Official Doc ↗ IP Origins for whitelist ↗
SDKs and Sample Code	NodeJS Sample ↗

Sample Validation

const crypto = require('crypto')
const timeHeader = 'x-zm-request-timestamp'
const sigHeader = 'x-zm-signature'
const hashAlgo = 'sha256'
const encode = 'hex'
const hmacSecret = process.env.WEBHOOK_SECRET
app.post('/zoom-webhook', (req, res) => {
    //01: Validate replay prevention with 5 minute timeframe
    const requestTimestamp = req.headers[timeHeader] * 1000;
    const tolerance = Date.now() - (5 * 60 * 1000);
    if (requestTimestamp < tolerance) {
        res.status(403).send('Request expired')
    }else{
        //02: Validate signature
        const message = `v0:${req.headers[timeHeader]}:${JSON.stringify(req.body)}`
        const digest = crypto.createHmac(hashAlgo, hmacSecret).update(message).digest(encode)
        if (request.headers[sigHeader] !== digest) {
            res.status(401).send('Request unauthorized')
        }else{
            //03: Process message
            res.json({ message: "Success" })
        }
    }
})

Specifications

Supported Events

Security Headers

Documentation

SDKs and Sample Code

Sample Validation