All apps that are made available to end-users must provide the proper ability for the User to uninstall or deauthorize the app in compliance with Zoom’s commitment to security and the protection of User data. To do so, apps must provide a secured endpoint for receiving Deauthorization notifications from Zoom.

Deauthorization Event URLs

The Deauthorization Event URL is an open endpoint required for each app to receive information on Deauthorization events. This endpoint must be secured over HTTPS. It is highly recommended that this endpoint be secured by verifying that all incoming POST requests contain the app’s Verification Token, as referenced below.

Deauthorization Event Notifications

When a User chooses to uninstall or deauthorize an app, Zoom will send a Deauthorization Event Notification as an HTTP POST request to the app’s Deauthorization Notification Endpoint URL. This signed request contains information on the User and the time of deauthorization.

Below is an example Deauthorization request body, sent to an app’s Deauthorization Notification Endpoint URL:

  "event": "app_deauthorized",
  "payload": {
    "account_id": "EabCDEFghiLHMA",
    "user_id": "z9jkdsfsdfjhdkfjQ",
    "signature": "827edc3452044f0bc86bdd5684afb7d1e6becfa1a767f24df1b287853cf73000",
    "deauthorization_time": "2019-06-17T13:52:28.632Z",
    "client_id": "ADZ9k9bTWmGUoUbECUKU_a"

Security Validation

It is highly recommended for all apps to verify that requests received by the Deauthorization Notification Endpoint URL are requests sent from Zoom to prevent vulnerability to denial-of-service attacks.

To do so, OAuth and Chatbot apps are provided with a Verification Token found on the Features page of the app’s Dashboard. The header of each Deauthorization notification contains an authorization property which includes the app’s Verification Token. All incoming requests to the Deauthorization Notification Endpoint URL should be compared to the Verification Token before being accepted.

Note: A Verification Token for Deauthorization events is generated only after a valid Deauthorization Notification Endpoint URL has been added.