Authentication
Fully Customizable SDK apps authenticate with Zoom through a pair of access credentials, SDK Key and SDK Secret, which are signed and communicated using JSON Web Tokens (JWT).
Obtaining SDK package and credentials
Login to the Zoom App Marketplace using your developer account, click the Develop option in the dropdown on the top-right corner and select Build App. Next, click the Create button and provide the required details.
After providing the required information, you can download the desired SDK package from the Download tab.
Locate your app credentials (SDK Key and Secret) in the App Credentials tab. Use these credentials to generate a JWT.
Generating JWT
Your app must be authenticated with JWT in order to create and join a session.
JWTs are generated with three core parts: Header, Payload, and Signature. When combined, these parts are separated by a period (.
) to form a token: aaaaa.bbbbb.ccccc
.
Header
The Header includes the specification of the signing algorithm and the type of token.
alg
refers to the algorithm being used. Zoom APIs and SDKs use HMAC SHA256 (HS256). The use of other algorithms may produce unexpected results.
typ
refers to the token type: JWT
.
{
"alg": "HS256",
"typ": "JWT"
}
Payload
The payload of a JWT contains the claims of the token, or the pieces of information being passed about the user and any metadata required.
app_key
is the SDK Key found in the App Dashboard.
version
should be set to 1
.
user_identity
is an available field to uniquely specify a user in your own system.
iat
is the timestamp of the token in seconds identifying when the JWT was issued. The value of this field should be in long format and should not be a string.
exp
shows the expiration time of the token in seconds since epoch. To process, the current date/time must be before the expiration date/time. Expiration times are limited to a maximum of two days (48 hours) from the current date/time.
tpc
is the name of the session that the user is going to create or join. It cannot be empty and the maximum length is 200 characters.
{
"app_key": "SDK_KEY",
"version": 1,
"user_identity": "User ID",
"iat": 0, //Provide the current timestamp as the value of this field.
"exp": 0, //Timestamp expiration date (Max: 2 days) in epoch format.
"tpc": "Session name, cannot be empty (Max: 200 characters)"
}
Signature
To create a signature for the JWT, the header and payload must be encoded with the SDK Secret through an HMAC SHA256 algorithm.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
SDK_SECRET)
Important: Though JWT is protected against tampering, the information in these tokens can be read by anyone. Do not store confidential information or personally identifiable information (PII) in the payload or header elements of a JWT.
Best practices
It is highly recommended to handle your SDK Key and Secret and generate JWT in a backend server to be consumed by your application. Do not generate or store SDK credentials and JWT in a production application.
Zoom SDKs support JWTs generated with JWT.io libraries. While other libraries can create JWT, these recommended libraries are the most robust.
We also recommend this post from Auth0 on A Look at The Draft for JWT Best Current Practices.
Technical specifics of JSON Web Tokens can be found at JWT.io.