Zoom uses the OpenAPI spec to guide our development. This spec allows for access tokens to be sent via URL query parameters. As part of our continuing efforts to improve security, as of Feb 14, 2023 Zoom will only accept requests with access token values in the `Authorization` header.
What is the impact?
To make a request with any of the Zoom API endpoints, a user must authenticate the request using a valid Zoom access token. Going forward, any API request to Zoom will need to be updated to include the access token value in the `Authorization` header.
Example using Python, the change would be from this…
Will this change have any effect on webhooks?
This depends on how you consume the webhook event.
If you are saving information from the event to your own data stores without interacting with Zoom APIs, no action is required.
If you are taking values from the webhook event, like the meetingID value from a `meeting.ended` event and then making a request to the Zoom API to get the meeting participants, then you must make this change.
If you are consuming the `recording.completed` event, you must change how your code sends the `download_token` value. This value should be treated like an access token and should only be sent via the request headers.
What happens if I fail to update my code?
Beginning February 14, 2023, any API request that is sent with the access token in the URL query parameters will fail.
I use a JWT app. Does this affect me?
Yes. The JWT app type (which is being deprecated) generates an access token that is consumed by the Zoom API. This access token must be sent as part of the Authorization Request header as well.
What error will users receive if they don’t change their code in time?
Beginning February 14, 2023, the user will receive an error code of 124 with a message stating they have sent an invalid access token. (See example below).