Implementing Zoom Webhook Validation in PHP

When integrating Zoom webhooks into your application, it’s crucial to ensure that the incoming webhook requests are indeed from Zoom. This is where webhook validation comes into play. In PHP, validating a Zoom webhook involves a few key steps which, when implemented correctly, secure your application by verifying that the source of the requests is legitimate.

Understanding the Validation Process

Zoom sends an event notification to your specified endpoint URL whenever an event occurs that your app is subscribed to. To confirm the authenticity of these requests, Zoom provides a verification token that you can use to validate the incoming webhook requests.


<?php
$secretToken= 'Your_Zoom_Secret_Token';
// Get the raw POST data from the request
$input = file_get_contents("php://input");

// Decode the JSON data
$data = json_decode($input);

// Check if the event type is "endpoint.url_validation"
if ($data && isset($data->event) && $data->event === "endpoint.url_validation") {
	// Check if the payload contains the "plainToken" property
	if (isset($data->payload) && isset($data->payload->plainToken)) {
		// Get the plainToken from the payload
		$plainToken = $data->payload->plainToken;

	   
		// Hash the plainToken using HMAC-SHA256
		$encryptedToken = hash_hmac("sha256", $plainToken, $secretToken);

		// Create the response JSON object
		$response = [
			"plainToken" => $plainToken,
			"encryptedToken" => $encryptedToken
		];

		// Set the response HTTP status code to 200 OK
		http_response_code(200);

		// Set the response content type to JSON
		header("Content-Type: application/json");

		// Output the response JSON
		echo json_encode($response);
	} else {
		// Payload is missing the "plainToken" property
		http_response_code(400); // Bad Request
		echo "Payload is missing 'plainToken' property.";
	}
} else {
	// Invalid event type
	http_response_code(400); // Bad Request
	echo "Invalid event type.";
}

?>

Conclusion

Implementing webhook validation is a best practice that adds a layer of security to your application. With the PHP script outlined above, you can ensure that your application only processes requests that are verified to be from Zoom, keeping your data and users safe.

Leave a comment