Setup Zoom Webhooks
Run a fast Zoom webhook preflight so solo builders catch reachability, signature, and URL-validation failures before hours of deep debugging.
Overview
setup-zoom-webhooks is an agent skill for the Build phase that runs a five-minute Zoom webhook preflight covering reachability, signature verification, URL validation, subscriptions, and async handling.
Install
npx skills add https://github.com/anthropics/knowledge-work-plugins --skill setup-zoom-webhooksWhat is this skill?
- 5-minute preflight runbook before deep webhook debugging
- HMAC_SHA256 signature check using raw body bytes—no JSON re-serialize
- Stale-timestamp rejection via x-zm-request-timestamp
- endpoint.url_validation plainToken and encryptedToken handling
- HTTP 200 fast response with async business logic processing pattern
- 5-step preflight runbook
- v0 HMAC_SHA256 signature formula with raw request body
Adoption & trust: 840 installs on skills.sh; 19.6k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your Zoom webhook endpoint is deployed but events fail verification, validation challenges, or never arrive—and you do not know which layer is wrong.
Who is it for?
Builders who already have a Zoom app and HTTPS endpoint but need a structured pass/fail checklist before tracing application code.
Skip if: Teams that have not created a Zoom app or public endpoint yet—start with Zoom developer setup guides first.
When should I use this skill?
Before deep debugging Zoom webhook failures—when reachability, signatures, or URL validation may be wrong.
What do I get? / Deliverables
You confirm each common failure mode in order and can move on to deeper debugging only after signatures, validation, and subscriptions are proven correct.
- Verified checklist outcome for each of the five preflight steps
Recommended Skills
Journey fit
Webhook wiring and Zoom app configuration belong in the integrations slice of build—the phase where you connect external services to your product. The runbook is narrowly about third-party webhook endpoints (HTTPS routing, HMAC verification, subscriptions), which maps directly to integrations work.
How it compares
Use instead of ad-hoc log grep when webhook HMAC or url_validation behavior is the suspected root cause.
Common Questions / FAQ
Who is setup-zoom-webhooks for?
Solo and indie developers integrating Zoom webhooks into APIs or SaaS backends who want a short operational runbook before deep debugging.
When should I use setup-zoom-webhooks?
During Build integrations when wiring Zoom listeners, and during Ship security or launch hardening when production webhooks fail signature or validation checks.
Is setup-zoom-webhooks safe to install?
Review the Security Audits panel on this Prism page for install risk and permissions; the skill references webhook secrets and signature verification—treat credentials as sensitive in your agent environment.
SKILL.md
READMESKILL.md - Setup Zoom Webhooks
# Webhooks 5-Minute Preflight Runbook Use this before deep debugging. It catches common webhook failures quickly. ## Skill Doc Standard Note - Agent-skill standard entrypoint is `SKILL.md`. - This runbook is an operational convention (recommended), not a required skill file. - `SKILL.md` is also a navigation convention for larger skill docs. ## 1) Confirm Endpoint Reachability - Public HTTPS endpoint is reachable from Zoom. - Reverse proxy routes to the correct service path. ## 2) Confirm Signature Verification - Verify `x-zm-signature` with raw request body. - Use `x-zm-request-timestamp` and reject stale timestamps. - Do not re-serialize parsed JSON for signature material. ### Signature Formula Reminder ```text payload = "v0:" + x-zm-request-timestamp + ":" + raw_body expected = "v0=" + HMAC_SHA256(webhook_secret, payload) ``` If `raw_body` differs from original bytes (pretty print/re-stringify), verification fails. ## 3) Confirm URL Validation Handling - Handle `endpoint.url_validation` challenge correctly. - Return expected `plainToken` and computed `encryptedToken` when required. ### URL Validation Reminder On `event = endpoint.url_validation`, hash `payload.plainToken` with your webhook secret and return both values exactly. ## 4) Confirm Event Subscription Setup - Feature/Event subscriptions enabled in app config. - Required event types selected and saved. ## 5) Confirm Processing Pattern - Respond HTTP 200 quickly. - Process business logic asynchronously. - Make handlers idempotent for retries. ## 6) Quick Probes - Local test payload verifies signature path. - Zoom test event reaches endpoint and is logged. - No repeated non-200 responses in logs. ### Copy/Paste Validation Commands ```bash # 1) Reachability check (replace with your webhook route) curl -sS -i "https://your-domain.example/webhook" # 2) Check service logs quickly while sending test events # (replace command with your runtime: pm2/docker/systemd) pm2 logs your-service --lines 100 # 3) Basic endpoint health check if available curl -sS -i "https://your-domain.example/health" ``` Expected: endpoint is reachable over HTTPS, events appear once, and responses are consistently 2xx. ## 7) Fast Decision Tree - **No events received** -> endpoint unreachable or wrong subscription. - **401 invalid signature** -> raw body mismatch/secret mismatch. - **Duplicate events** -> no idempotency or delayed responses. ## 8) Retry and Idempotency Guardrail - Treat webhook delivery as at-least-once. - Deduplicate by event ID/timestamp/resource key before side effects. - Keep handlers safe to re-run. --- name: setup-zoom-webhooks description: Reference skill for Zoom webhooks. Use after routing to an event-driven workflow when implementing subscriptions, signature verification, delivery handling, retries, or event-type selection. triggers: - "zoom webhook" - "webhook signature" - "x-zm-signature" - "event subscription" - "recording completed webhook" --- # /setup-zoom-webhooks Background reference for Zoom event delivery over HTTP. Prefer workflow skills first, then use this file for verification, subscription, and delivery details. ## Prerequisites - Zoom app with Event Subscriptions enabled - HTTPS endpoint to receive webhooks - Webhook secret token for verification > **Need help with authentication?** See the **[zoom-oauth](../oauth/SKILL.md)** skill for OAuth setup. ## Quick Start ```javascript // Express.js webhook handler const crypto = require('crypto'); // Capture raw body for signature verification (avoid re-serializing JSON). app.use(require('express').json({ verify: (req, _res, buf) => { req.rawBody = buf; } })); app.post('/webhook', (req, res) => { // Verify webhook signature const signature = req.headers['x-zm-signature']; const timestamp = req.headers['x-zm-request-timestamp']; const body = req.rawBody ? req.rawBody.toString('utf8') : JSON.stringify(req.body); const payload = `v0:${timestamp}:${body}`; c