Developer
Developer
Documentation
SDK
API Reference
Support
Blog
Changelog
My Apps
Create App
No results found.
Fully Customizable SDKs
Introduction
Comparing Zoom SDKs
Setting up developer accounts
Authentication
Client SDKs
Introduction
Developer accounts
Authentication
User login types
Additional Tips
SDK Reference
Android SDK Reference
iOS SDK Reference
Mac SDK Reference
Windows SDK Reference
Electron SDK Reference
Web SDK Reference

Authentication

Fully Customizable SDK apps authenticate with Zoom through a pair of access credentials, SDK Key and SDK Secret, which are signed and communicated using JSON Web Tokens (JWT).

Obtaining SDK package and credentials

Login to the Zoom App Marketplace using your developer account, click the Develop option in the dropdown on the top-right corner and select Build App. Next, click the Create button and provide the required details.

After providing the required information, you can download the desired SDK package from the Download tab.

Locate your app credentials (SDK Key and Secret) in the App Credentials tab. Use these credentials to generate a JWT.

Generating JWT

Your app must be authenticated with JWT in order to create and join a session.

JWTs are generated with three core parts: Header, Payload, and Signature. When combined, these parts are separated by a period (.) to form a token: aaaaa.bbbbb.ccccc.

Header

The Header includes the specification of the signing algorithm and the type of token.

alg refers to the algorithm being used. Zoom APIs and SDKs use HMAC SHA256 (HS256). The use of other algorithms may produce unexpected results.

typ refers to the token type: JWT.

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The payload of a JWT contains the claims of the token, or the pieces of information being passed about the user and any metadata required.

app_key is the SDK Key found in the App Dashboard.

version should be set to 1.

user_identity is an available field to uniquely specify a user in your own system.

iat is the timestamp of the token in seconds identifying when the JWT was issued. The value of this field should be in long format and should not be a string.

exp shows the expiration time of the token in seconds since epoch. To process, the current date/time must be before the expiration date/time. Expiration times are limited to a maximum of two days (48 hours) from the current date/time.

tpc is the name of the session that the user is going to create or join. It cannot be empty and the maximum length is 200 characters.

{
  "app_key": "SDK_KEY",
  "version": 1,
  "user_identity": "User ID",
  "iat": 0, //Provide the current timestamp as the value of this field.
  "exp": 0, //Timestamp expiration date (Max: 2 days) in epoch format.
  "tpc": "Session name, cannot be empty (Max: 200 characters)"
}

Signature

To create a signature for the JWT, the header and payload must be encoded with the SDK Secret through an HMAC SHA256 algorithm.

HMACSHA256(
    base64UrlEncode(header) + "." +
    base64UrlEncode(payload),
    SDK_SECRET)

Important: Though JWT is protected against tampering, the information in these tokens can be read by anyone. Do not store confidential information or personally identifiable information (PII) in the payload or header elements of a JWT.

Best practices

It is highly recommended to handle your SDK Key and Secret and generate JWT in a backend server to be consumed by your application. Do not generate or store SDK credentials and JWT in a production application.

Zoom SDKs support JWTs generated with JWT.io libraries. While other libraries can create JWT, these recommended libraries are the most robust.

We also recommend this post from Auth0 on A Look at The Draft for JWT Best Current Practices.

Technical specifics of JSON Web Tokens can be found at JWT.io.

Next steps

Need help?

The first place to look is on our Developer Forum. If you can't find the answer or your request includes sensitive information, contact Developer Support.

Copyright ©2021 Zoom Video Communications, Inc. All rights reserved. Privacy Policy · Terms