Deauthorization


All apps that are made available to end-users must provide the proper ability for the User to uninstall or deauthorize the app in compliance with Zoom’s commitment to security and the protection of User data. To do so, apps must provide a secured endpoint for receiving Deauthorization notifications from Zoom and respond with proper data retention practices.

Deauthorization Event URLs

The Deauthorization Event URL is an open endpoint required for each app to receive information on Deauthorization events. This endpoint must be secured over HTTPS. It is highly recommended that this endpoint be secured by verifying that all incoming POST requests contain the app’s Verification Token, as referenced below.

Deauthorization Event Notifications

When a User chooses to uninstall or deauthorize an app, Zoom will send a Deauthorization Event Notification as an HTTP POST request to the app’s Deauthorization Notification Endpoint URL. This signed request contains information on the User, their data retention preferences, and the time of deauthorization.

Below is an example Deauthorization request body, sent to an app’s Deauthorization Notification Endpoint URL:

{
  "event": "app_deauthorized",
  "payload": {
    "user_data_retention": "false",
    "account_id": "EabCDEFghiLHMA",
    "user_id": "z9jkdsfsdfjhdkfjQ",
    "signature": "827edc3452044f0bc86bdd5684afb7d1e6becfa1a767f24df1b287853cf73000",
    "deauthorization_time": "2019-06-17T13:52:28.632Z",
    "client_id": "ADZ9k9bTWmGUoUbECUKU_a"
  }
}

Security Validation

It is highly recommended for all apps to verify that requests received by the Deauthorization Notification Endpoint URL are requests sent from Zoom to prevent vulnerability to denial-of-service attacks.

To do so, OAuth and Chatbot apps are provided with a Verification Token found on the Features page of the app’s Dashboard. The header of each Deauthorization notification contains an authorization property which includes the app’s Verification Token. All incoming requests to the Deauthorization Notification Endpoint URL should be compared to the Verification Token before being accepted.

Note: A Verification Token for Deauthorization events is generated only after a valid Deauthorization Notification Endpoint URL has been added.

Data Compliance

After receiving a Deauthorization notification (following the User’s request), all apps must delete all associated User data and notify Zoom of proper data retention compliance through the Data Compliance API (POST https://api.zoom.us/oauth/data/compliance) if the user has requested the data to be deleted. Use our Data Compliance reference for direct information on this requirement including a sample schema and payload.

Need help?

The first place to look is on our Developer Forum. If you can't find the answer or your request includes sensitive information, contact Developer Support.