Top of pageSkip to main content

Create a Server-to-Server OAuth app

The OAuth 2.0 authorization framework enables third-party apps to obtain selected access to an HTTP service.

A Server-to-Server OAuth app enables you to securely integrate with Zoom APIs and get your account owner access token without user interaction. This is different from the OAuth app type, which requires user authentication. See Using OAuth 2.0 for details.

This app type is added and managed across an account by account admins. This app type also enables you to utilize event subscriptions using Webhooks.

On this page

Zoom Account client credentials grant type

The Zoom account client credentials grant type facilitates OAuth-authenticated requests between servers without end-user involvement, also known as server-to-server or two-legged OAuth. Use this grant type to enable your private server application to get your account owner access token without user interaction. The features of the account credentials grant type are:

  • The token is the owner’s access token.
  • The token’s time to live is 1 hour.
  • There is no refresh token.
  • Tokens stop working when the app is deactivated.
  • Server-to-Server OAuth apps can be deleted.
  • Account administrators authorize the scopes available to Developers building these app types.

Difference from app credentials

  • Zoom account client credentials is a new grant type developers can use with the Zoom OAuth Service to facilitate OAuth-authenticated requests without end user involvement. This document describes this grant type and how to use it.
  • App credentials are the app client credentials, including the client ID and secret, which Zoom provides to app developers to access the Zoom platform (see step 3 below for details).

Enable permissions

The administrator for a Zoom account must enable the view and edit permissions for Server-to-Server OAuth apps.

To do this, the administrator must enable the Server-to-Server OAuth app role. Go to User Management > Roles > Role Settings > Advanced features and select the View and Edit check boxes for Server-to-Server OAuth app. See Using role management for details.

Server-to-Server OAuth app role management

Create a Server-to-Server OAuth app

Follow the steps below to create a Server-to-Server OAuth app to use with account credentials.

  1. Choose the Server-to-Server OAuth app type.
Server-to-Server OAuth app type
  1. Add a name for your app.
Add Server-to-Server OAuth app name
  1. App credentials — View your Account ID, Client ID and Client Secret.

  2. Information — Add information about your app, such as a short description and developer contact information (name and email address is required for activation).

  3. Toggle whether you’d like to enable event subscriptions. If enabled, choose the event subscriptions you'd like to use. See Using Zoom Webhooks for details.

  4. If you have the role permission to add scopes, add any scopes that you’d like to enable.

Search for scope

Choose Add Scopes to search for and add scopes:

Add scope
  1. Your app should be activated. If you see errors that prevent activation, please address them. You will not be able to generate an access token to make API calls unless your app is activated. If your app is deactivated, existing tokens will no longer work. You can also choose to Deactivate your app in this section.

Use account credentials to get an access token

To use account credentials to get an access token for your app, call the Zoom OAuth token API with the account_credentials grant_type and your account_id:

curl -X POST -H 'Authorization: Basic Base64Encoder(clientId:clientSecret)'{accountId}


Authorization: Basic Base64Encoder(clientId:clientSecret)

The successful response will be the access token, which is a Bearer token type that expires in an hour, with the scopes that you chose in your app settings screen:

      “Access_token“: String,
      “Token_type”: “bearer”,
      “Expire_in”: long,
      “scope” : [String]

Get a new access token

There are no refresh tokens for this grant type. To get a new access token, your app should call the /oauth/token endpoint again with the account_credentials grant.

Make API calls to Zoom endpoints

Use OAuth 2.0 to make API calls to Zoom endpoints. Send the access token in the Authorization header as a Bearer token:

Authorization: Bearer <Your Token here>

See Using Zoom APIs for details

Remove Server-to-Server OAuth app

To remove an existing Server-to-Server OAuth app, go to App Management > Created apps and click Remove App in the Action menu.

Created Apps

Note that you cannot publish Server-to-Server OAuth apps to the Marketplace.

Need help?

If you're looking for help, try Developer Support or our Developer Forum. Priority support is also available with Premier Developer Support plans.