Authentication


Fully Customizable SDK apps authenticate with Zoom through a pair of access credentials, SDK Key and SDK Secret, which are signed and communicated using JSON Web Tokens (JWT).

Obtaining SDK Key & Secret

To obtain your SDK Key & Secret, connect with us for initial launch details.

Get Started

Generating JWT

JWTs are generated with three core parts: Header, Payload, and Signature. When combined, these parts are separated by a period (.) to form a token: aaaaa.bbbbb.ccccc.

Header

The Header includes the specification of the signing algorithm and the type of token.

alg refers to the algorithm being used. Zoom APIs and SDKs use HMAC SHA256 (HS256). The use of other algorithms may produce unexpected results.

typ refers to the token type: JWT.

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The payload of a JWT contains the claims of the token, or the pieces of information being passed about the user and any metadata required.

app_key is the SDK Key found in the App Dashboard.

version should be set to 1.

user_identity is an available field to uniquely specify a user in your own system.

iat is the timestamp of the token in seconds identifying when the JWT was issued.

exp shows the expiration time of the token in seconds since epoch. To process, the current date/time must be before the expiration date/time. Expiration times are limited to a maximum of two days (48 hours) from the current date/time.

tpc is the name of the session that the user is going to create or join. It cannot be empty and the maximum length is 200 characters.

{
  "app_key": "SDK_KEY",
  "version": 1,
  "user_identity": "User ID",
  "iat": "Current Timestamp",
  "exp": "Timestamp expiration date (Max: 2 days)",
  "tpc": "Session name, cannot be empty (Max: 200 characters)"
}

Signature

To create a signature for the JWT, the header and payload must be encoded with the SDK Secret through an HMAC SHA256 algorithm.

HMACSHA256(
    base64UrlEncode(header) + "." +
    base64UrlEncode(payload),
    SDK_SECRET)

Important: Though JWT is protected against tampering, the information in these tokens can be read by anyone. Do not store confidential information or personally identifiable information (PII) in the payload or header elements of a JWT.

Best practices

It is highly recommended to handle your SDK Key and Secret and generate JWT in a backend server to be consumed by your application. Do not generate or store SDK credentials and JWT in a production application.

Zoom SDKs support JWTs generated with JWT.io libraries. While other libraries can create JWT, these recommended libraries are the most robust.

We also recommend this post from Auth0 on A Look at The Draft for JWT Best Current Practices.

Technical specifics of JSON Web Tokens can be found at JWT.io.

Need help?

The first place to look is on our Developer Forum. If you can't find the answer or your request includes sensitive information, contact Developer Support.