Documentation
DocumentationDeveloperAcademyCommunitySupportLogin
Start typing to search…

Webhook Example: Zoom

Zoom webhooks notify your endpoint of events like meeting starts or ends. They require an initial URL validation challenge and support signature verification for events. This dual pattern teaches handling setup trust (challenge) separately from ongoing security (signature), common in services with periodic re-validation.

Quickstart

1) Register the Webhook in Zoom

Registration triggers the challenge. In Zoom:

  1. Go to Zoom Marketplace > Develop > Build Legacy App > Webhook Only.
  2. Add event subscriptions.
  3. Event notification endpoint URL: Your Agent Studio listener URL.
  4. Generate a Secret Token—note it; this serves both challenge signing and event signatures.
  5. Validate the URL (triggers the challenge — do this after setting up your listener below).
  6. Save and subscribe to events.
EventDescriptionKey Payload Fields
meeting.startedMeeting beginsmeeting.id, host_id
meeting.endedMeeting concludesmeeting.id

2) Configure Verification in Agent Studio

Zoom uses a challenge for URL validation and signatures for events. Configure both.

For Verification Challenge

In the One Time Verification Challenge panel:

  1. Set Challenge Detection: parsed_body.event == "endpoint.url_validation" using Moveworks DSL. (detects the validation POST).
  2. Choose HTTP Response Status Code: 200 OK. Zoom expects success codes; mismatches fail validation.
  3. HTTP Response Headers: Leave default or add if required.
  4. HTTP Response Body. This echoes the token and adds the signed version: 
    plainToken: parsed_body.payload.plainToken
encryptedToken: challenge_token["zoom_token"]
  5. Click Add Challenge Token to create the signed value:
    1. Name: Set to zoom_token (or any unique identifier). This name becomes a reference key, use it in the response body as shown above challenge_token["zoom_token"] to insert the computed hash dynamically.
    2. Signing Algorithm: HMAC-SHA256
    3. Signing Secret: Paste the Secret Token from Zoom, the shared key for hashing.
    4. Signing Payload: parsed_body.payload.plainToken

For Signature Verification

In the Verification panel:

  1. Add a new rule.
  2. Select Validation Type: Signature Verification.
  3. Secret Shared by External System: Same Secret Token from Zoom.
  4. Signature Verification Hash Mode: HMAC-SHA256.
  5. Verification Payloads: Concatenate using DSL: $CONCAT([headers["x-zm-request-timestamp"],":",raw_body],""). This builds the exact string Zoom signs.
  6. Verification Received Signature: headers["x-zm-signature"].

Zoom Documentation


Updated about 11 hours ago