In order to access Zoom APIs and Webhooks, and to integrate with Marketplace platform tools and services, each app is required to be authenticated and authorized by Zoom and Zoom users. In order to authenticate, each app is provided a set of App Credentials which vary by app type and authentication method.
Authentication with Zoom
Zoom provides support for two common authentication paradigms, OAuth 2.0 for authenticating a user context and JSON Web Tokens (JWT) for authenticating server-to-server apps.
JWT authentication is best used for transmitting data to and from Zoom between trusted services or servers. An example of an app using JWT authentication might be a custom internal CRM app which creates meetings for customers. You could use JWT authentication to create these meetings without needing individual user authentication. Learn more in our JSON Web Tokens (JWT) section which includes our JWT with Zoom guide.
OAuth authentication is best used for apps that require individual end-users to authorize data access. An example of an app using OAuth might be a scheduling app which allows Zoom users to schedule Zoom meetings using a third party scheduling service. Learn more in our OAuth 2.0 section which includes our OAuth with Zoom guide.
Client ID and Client Secret
The Client ID and Client Secret credentials are used by Zoom Marketplace apps in client-to-server authentication in OAuth apps and Chatbot apps. The Client ID is issued to uniquely identify the client within an HTTP auth header. The Client Secret should be stored and securely passed into request headers.
Redirect URL for OAuth
The Redirect URL is used by OAuth apps to specify where Zoom should send an authorization token after the user is authenticated. During OAuth, Zoom prompts a user to authorize an app on their account. If the user successfully authorizes, Zoom then redirects them back to your app at the destination specified in the Redirect URL. This could be a specific home or dashboard page, or a URL to indicate successful login for the user. The Redirect URL is also where an error response code is sent should log in be unsuccessful.
Development and Production
Development credentials should be used during the building and testing phases of your app (development phase), and for making changes to your app once it is published.
Production credentials should be used once your app is ready to be published on the Marketplace (production environment). In order to “activate” your production credentials, you will need to create a publishable URL (on the Submit page for each app under Manage tab).
Whitelist URLs are used by your app as an exclusive list of URLs from which Zoom should authorize requests using your credentials. This provides an additional layer of security, allowing Zoom to deny potential authorization requests should they come from destinations or services which do not match your company’s domain or specific prefix.
If you update your Whitelist URLs at any time after generating a Publishable URL, you will be required to regenerate a new Publishable URL.
API Key and API Secret
The API Key and API Secret credentials are used by Zoom Marketplace apps in server-to-server authentication by JWT apps. These credentials are sent to Zoom inside of a JWT generated on each request and should be stored securely in your app’s configuration files.
Verification Tokens are text strings generated for each app that enables Event Subscriptions. These tokens can be used to verify that the notification requests sent to your app’s Event Notification Endpoint URL are from Zoom.
When you app subscribe your app to event notifications, a Verification Token will be generated on the Features section of the app’s Manage dashboard. Incoming event notifications sent to your app will contain its Verification Token in the
authorization field of the request header.