Skip to content

Zoom API JWT

Service Name: Zoom Video Communications

Service Description: Zoom is a cloud-based video conferencing service that provides video and audio conferencing, chat, and webinars across mobile, desktop, and room systems.

Service Address: https://zoom.us/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through Zoom's security settings.

Secret Access Scope: Grants programmatic access to Zoom APIs for managing meetings, users, accounts, and other Zoom resources.

Secret Revokement URL: https://marketplace.zoom.us/docs/guides/auth/jwt/

Secret Example: eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOm51bGwsImlzcyI6IkFCQ0RFRkdISUtMTU5PUFF6UlNUV VZXWFlaIiwiZXhwIjoxNjE1MjM2NDAwLCJpYXQiOjE2MTUyMjkyMDB9.1234567890abcdefghi jklmnopqrstuvwxyz

Suspicious Activity Investigation Instructions:

  • Review Zoom dashboard for unusual meeting creation or user management activities
  • Check API usage logs for unexpected API calls or high-volume requests
  • Monitor for unauthorized changes to Zoom settings or user permissions
  • Verify if there are any unexpected integrations or apps connected to your Zoom account
  • Look for geographical anomalies in access patterns

Mitigation Instructions:

  • Log in to the Zoom Developer Dashboard at https://marketplace.zoom.us/
  • Navigate to the JWT app that's using the compromised credentials
  • Generate a new API key and secret to replace the compromised one
  • Update all applications and services using the old credentials with the new ones
  • Consider implementing additional security measures like IP restrictions
  • Review and update your application's security practices for storing and

handling JWT tokens

  • Enable Zoom's advanced security features like two-factor authentication for

administrative accounts