Skip to content

Zoom API Key

Service Name: Zoom Video Communications

Service Description: Zoom is a cloud-based video conferencing service that provides video and audio conferencing, chat, and webinars across mobile, desktop, and room systems.

Service Address: https://zoom.us/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through Zoom's security settings.

Secret Access Scope: Grants programmatic access to Zoom's API endpoints, allowing management of meetings, users, accounts, and other Zoom resources.

Secret Revokement URL: https://marketplace.zoom.us/user/build

Secret Example: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOm51bGwsImlzcyI6IlpvMDFtX3NTT W15X3FaQWFBQUFBQSIsImV4cCI6MTY1MDM5MjAwMCwiaWF0IjoxNjE4ODU2MDAwfQ.8D_zXYEWG OqE8VUQKnSB-AJvaO-AjN6gxMmJhAFpU2A

Suspicious Activity Investigation Instructions:

  • Review Zoom Dashboard for unusual meeting creation or user management activities
  • Check API usage logs for unexpected API calls or access patterns
  • Monitor for unauthorized changes to account settings or user permissions
  • Review IP addresses that have accessed the API for unfamiliar locations
  • Check for unusual meeting participants or unexpected webinar registrations

Mitigation Instructions:

  • Log in to your Zoom account and navigate to the Zoom Marketplace
  • Go to "Manage" > "Developed Apps" or "Build App"
  • Select the app associated with the compromised API key
  • Click on "App Credentials"
  • Click "Rotate" next to the JWT Token or API Key to invalidate the current key
  • Generate a new API key to replace the compromised one
  • Update any applications or integrations with the new API key
  • Consider implementing additional security measures such as IP restrictions
  • Review and adjust the app's scopes to limit access to only necessary functions