1. Complete App Descriptions
There are two descriptions available for developers, the Short Description and Long Description, each with a distinct purpose:
Use the Short Description to provide information about your business’s core purpose for customers and explain what your app does in a nutshell. Highlight features or typical use cases of your app. Short descriptions should be 1-2 sentences (max 150 char), and can be updated when submitting new versions.
Provide a Long Description which highlights the features of your app. Use this section to describe your App as a service, and your company as an organization. This is your opportunity to tell Zoom users why they should install this integration, what value does your app provide, and why your app is the right solution for them. Ideal descriptions contain a concise, informative paragraph followed by a short list of main features.
Long Descriptions can commonly cause an app submission to be denied if it lacks sufficient information about app functionality. Long Descriptions can be updated when a new version of the app is submitted.
2. Add Images / Videos
Images are required to show users what to expect when using the submitted app, including function and user-interfaces examples. Videos (up to 40MB) provide expected app usage and user-interface interaction.
For an example of high-quality image/video content, reference the Hubspot app on the Zoom Marketplace.
If your app tracks user activity, you must provide examples of the activities that are tracked and the information that is collected from the activity. If your app provides a way for users to manage and control the permissions that have been granted, you must list out the steps that users can follow to do so.
Description of Service and Usage Limitation: Include brief information on the services that your app provides to the users. If any of the services are to be used only for personal needs and not commercial usage, include this information in the ToU. If there are specific practices that you want the users to avoid while using your app, clearly state them in the ToU.
Description of Expected Procedures and Liability: If your app has certain maintenance windows during which the guaranteed uptime can deflect, include this information on the ToU. In cases of data and business loss of your app users, state who is liable to mitigate for the loss.
Although you can refer to these instructions for getting started with writing your ToU, it should not be treated as an exhaustive list. Consult with your company’s legal team to get support authoring a ToU that best meets your app and business requirements.
5. Provide Support URL
All published apps are required to provide a Support URL for individual on-going support for users of this app. Your support page must include the information outlined below to help customers understand what they can expect when engaging with your support team:
- Hours of Your Support Team
- First Response SLA (Maximum time a customer should expect to wait until they receive their first response from a member in your Customer Support Team)
- Link to create a support case
- Link to email support
- Link to your Knowledge base or forums.
- Link to a live customer support channel (if available)
- Support Phone Number (if available)
By providing this information, your app is better positioned to serve our mutual customers and create a positive experience when they seek support for your app.
6. Provide Documentation URL
All published apps are required to provide a Documentation URL to guide users through app installation and usage. When creating documentation, provide the following guidelines:
Installation (Required): A step by step guide for a user to install your app. Link to an installation troubleshooting guide.
Usage (Required): For each feature or action, provide a clear use-case description and a list of any prerequisites.
Uninstallation (Required): A guide to uninstalling the app from your Zoom account. Notify the user the implications of Deauthorization, and how you will remove their data. If your app has specific requirements, be sure to include these. A simple list like the following will suffice, as uninstallation is handled by Zoom:
- Login to your Zoom Account and navigate to the Zoom App Marketplace.
- Click Manage > Installed Apps or search for the XYZ app.
- Click the XYZ app.
- Click Uninstall.
In the above list, we have used “XYZ” as a reference for an app. In your documentation, you should replace it with your app’s name.
Troubleshooting (Optional, but highly recommended): List the most common user issues and their solutions including installation issues, adding meetings, accessing recordings, etc.
FAQ - (Optional): List the most frequently asked questions, including questions on authorization, activation emails, or unsubscribing to email updates.
Contact Support (Optional): Describe what users can expect when engaging your support team including the hours of your support team and first response SLA (maximum time a user should expect to wait to hear from your support team). Provide a link to create a support case or contact support through email, KB/Forums, or phone.
7. Provide Deauthorization Event URL for Testing
All apps must provide the proper ability for the User to uninstall or deauthorize the app in compliance with Zoom’s commitment to security and the protection of User data. For a direct guide, reference the Deauthorization documentation.
To do so, apps must provide a secured endpoint for receiving Deauthorization notifications from Zoom and respond with proper data retention practices as outlined in the Marketplace Developer Agreement.
8. Optimize App Data Fetching
Apps are expected to adhere to optimal patterns of requesting and subscribing to data from Zoom. Long-polling the Zoom API instead of subscribing to receive Webhook Event requests is considered an anti-pattern and may cause the app to be denied. There are multiple benefits to subscribe to Webhook events, the most significant being performance and monitoring. Enable Event Subscriptions for an app in the “Features” section while creating or managing the app on the App Dashboard.
9. Remove Unused Scopes from Development
Scopes added to apps expose functionality and access to Zoom APIs. Zoom expects all developers to only enable Scopes to make functional, logical, and business sense for their apps. Failure to use proper API requests for a given scope will cause an app to be denied. Zoom recommends only selecting the minimum required Scopes for app operation.
10. Optimize App Authentication and Refresh Flows
Apps should not make overly frequent requests for OAuth tokens. A token should be requested and stored to allow an app to make API requests, rather than generated on each request.
Data returned on responses from Zoom Authentication endpoints should be cached and
access_tokens should be re-used until expired. Once expired, a Refresh Token request can be sent for a new token. For more information on this flow, reference our guide to OAuth with Zoom.
11. Whitelist OAuth Redirect URLs
In the Whitelist URL field, add all unique URLs that Zoom should whitelist as valid Redirect URLs for your OAuth flows. This additional security measure ensures that users are only redirected to the pre-approved endpoints that you provided in this field. Make sure to include either the complete URL(
https://[subdomain.]domain.tld/path/to/oauth/callback) or the base URL, omitting the path and/or query parameters(
This is a required step to secure your app and prevent unwanted tampering with your app during installation. To minimize the risk of sensitive data leakage, only include URLs that you have provided in the Redirect URL for OAuth field.
Prior to your app submission, ensure that you are following the guidelines listed below regarding your URLs:
- Secure your URLs with HTTPS
- Use FQDNs and refrain from using any localhost addresses
- Refrain from using ngrok domains. If used, you will be required to provide proof of ownership of the specific ngrok domain.
- Refrain from using any default Heroku App domains(example: app_name.herokuapp.com). Use custom domains instead.
When using domains that are different from your App’s domain, you will be required to provide a justification for the addition of these to the whitelist.
12. Specify Installation Process
Zoom expects app installation to be quick, efficient, and in a self-service manner. Apps which have a freemium business plan model are ideal models for the Zoom App Marketplace, as they typically allow for self-service account creation tools.
A Configuration URL should be set to allow users to easily access configuration settings for the app/integration within the Zoom Marketplace. This is particularly important for apps which have chosen the “Install from Landing Page” feature. You can configure your app to be installed in one of the two ways: ‘From your landing page’ or ‘From marketplace’.
If you choose the ‘From Marketplace’ installation method, an ‘Install’ button will be displayed on your app listing page on the Zoom Marketplace and once users click “Install”, they will instantly be taken to the authorization page:
After clicking ‘Authorize’, users will be taken to the redirect URL you have specified in your submission to configure the app or begin using your integration.
If you select ‘From your landing page’ installation method, users will be able to click ‘Visit Site to Install’ on your app listing page and will be taken to the Landing Page URL you have specified in your submission.
The Landing Page URL must route logged in users to a page where they can authorize the integration, and it must redirect unauthenticated users to a sign in page.
Best Practice for Landing Page URLs is to use a deep-linked URL that is behind a paywall or login system (so your system can identify the user by requiring them to first authenticate), and upon successful authentication, redirect the user to your “deep-linked” Landing Page URL( Example: https://foo.tld/integrations/zoom).
Installations via Landing Page are useful if you want to restrict the authorization of your app to only users who already have an account within your system. Having the Zoom integration install link behind your own login system is ‘restricted’ since there is no way to install the app unless the end-user has an account with your company.
The ‘Visit Site to Install’ option is particularly effective if your app requires users to enter unique or organization-specific subdomains to log in to your app( Example: https://my-organization.foo.tld).
13. Secure Confidential Information
In addition to following the steps listed above, ensure that the contents that you submit for publication such as app descriptions, support documentation, images and video files, do not expose your App Credentials and other private information. Blur all mentions of information such as tokens, passwords, and keys to secure confidential data.
Fill out this form prior to submitting your app so that you can assess your app in its current state. Once you complete the assessment, you will receive an email with a link to an auto-generated App Review Report highlighting existing issues and recommendations on how to resolve those issues.