***

title: 'Webhook Example: Zoom'
position: 5
deprecated: false
hidden: false
metadata:
robots: index
-------------

Zoom webhooks notify your endpoint of events like meeting starts or ends. They require an initial URL validation challenge and support signature verification for events. This dual pattern teaches handling setup trust (challenge) separately from ongoing security (signature), common in services with periodic re-validation.

# Quickstart

## 1) Register the Webhook in Zoom

Registration triggers the challenge. In Zoom:

1. Go to Zoom Marketplace > Develop > Build Legacy App > Webhook Only.
2. Add event subscriptions.
3. Event notification endpoint URL: Your Agent Studio listener URL.
4. Generate a Secret Token—note it; this serves both challenge signing and event signatures.
5. Validate the URL (triggers the challenge — do this after setting up your listener below).
6. Save and subscribe to events.

| Event           | Description       | Key Payload Fields   |
| :-------------- | :---------------- | :------------------- |
| meeting.started | Meeting begins    | meeting.id, host\_id |
| meeting.ended   | Meeting concludes | meeting.id           |

## 2) Configure Verification in Agent Studio

Zoom uses a challenge for URL validation and signatures for events. Configure both.

### For Verification Challenge

In the One Time Verification Challenge panel:

1. Set Challenge Detection: `parsed_body.event == "endpoint.url_validation"` using Moveworks DSL.  (detects the validation `POST`).
2. Choose HTTP Response Status Code: `200 OK`. Zoom expects success codes; mismatches fail validation.
3. HTTP Response Headers: Leave default or add if required.
4. HTTP Response Body. This echoes the token and adds the signed version:
   ```yaml
   plainToken: parsed_body.payload.plainToken
   encryptedToken: challenge_token["zoom_token"]
   ```
5. Click Add Challenge Token to create the signed value:
   1. Name: Set to `zoom_token` (or any unique identifier). This name becomes a reference key, use it in the response body as shown above `challenge_token["zoom_token"]` to insert the computed hash dynamically.
   2. Signing Algorithm: `HMAC-SHA256`
   3. Signing Secret: Paste the Secret Token from Zoom, the shared key for hashing.
   4. Signing Payload: `parsed_body.payload.plainToken`

### For Signature Verification

In the Verification panel:

1. Add a new rule.
2. Select Validation Type: Signature Verification.
3. Secret Shared by External System: Same Secret Token from Zoom.
4. Signature Verification Hash Mode: `HMAC-SHA256`.
5. Verification Payloads: Concatenate using DSL: `$CONCAT([headers["x-zm-request-timestamp"],":",raw_body],"")`. This builds the exact string Zoom signs.
6. Verification Received Signature: `headers["x-zm-signature"]`.

# Zoom Documentation

* [Using Webhooks](https://developers.zoom.us/docs/api/webhooks/)

<br />