Authentication


Zoom Meeting SDK apps authenticate with Zoom through a pair of access credentials, SDK Key and SDK Secret, which are signed and communicated using JSON Web Tokens (JWT).

Additionally, Zoom Access Tokens (ZAK) are required if you need to start a meeting from your SDK app on behalf of a Non-login user.

Note: The Web SDK is authenticated using an API Key and Secret, not an SDK Key and Secret. To use the Web SDK, Create a JWT App on the Marketplace.

Obtaining SDK credentials

Login to the Zoom App Marketplace, click the Develop option in the dropdown on the top-right corner, select SDK and click Build App. Next, click the Create button and provide the required details.

Locate your app credentials (SDK Key and Secret) in the App Credentials tab. Use these credentials to generate a JWT.

Generating JWT

Your app must be authenticated with JWT in order to use the SDK.

JWTs are generated with three core parts: Header, Payload, and Signature. When combined, these parts are separated by a period (.) to form a token: aaaaa.bbbbb.ccccc.

Header

The Header includes the specification of the signing algorithm and the type of token.

alg refers to the algorithm being used. Zoom APIs and SDKs use HMAC SHA256 (HS256). The use of other algorithms may produce unexpected results.

typ refers to the token type: JWT.

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The payload of a JWT contains the claims of the token, or the pieces of information being passed about the user and any metadata required.

appKey is the SDK Key found in the App Dashboard.

iat is the timestamp of the token in seconds identifying when the JWT is issued. The value of this field should be in long format and should not be a string.

tokenExp is when the SDK authentication session expires in epoch format. Must be at least 30 minutes (1800 seconds) greater than the token’s iat field. When this expires, the SDK will trigger a callback informing your app that it needs to re-authenticate with an up-to-date JWT. There is no max value for this, but setting extremely long expiration windows is not recommended.

exp is when the JWT itself expires in epoch format. Must be at least 30 minutes (1800 seconds) greater than the token’s iat field. Max value of iat value + 48 hours (172,800 seconds).

{
  "appKey": "SDK_KEY",
  "iat": 0, //Provide the current timestamp as the value of this field.
  "exp": 0, //JWT expiration date (Min:1800 seconds greater than iat value, Max: 48 hours greater than iat value) in epoch format.
  "tokenExp": 0 //session token expire time, (Min:1800 seconds greater than iat value) in epoch format.
}

Signature

To create a signature for the JWT, the header and payload must be encoded with the SDK Secret through an HMAC SHA256 algorithm.

HMACSHA256(
    base64UrlEncode(header) + "." +
    base64UrlEncode(payload),
    SDK_SECRET)

Important: Though JWT is protected against tampering, the information in these tokens can be read by anyone. Do not store confidential information or personally identifiable information (PII) in the payload or header elements of a JWT.

Generating Zoom Access Token (ZAK)

ZAKs are unique authentication tokens required to host a meeting on behalf of another user. Zoom Access Tokens (ZAK) were introduced in SDK version v4.1.28807.0726 as an additional layer of security for authentication.

ZAKs are required to be used in apps which allow meetings to be hosted by users not on the account associated with the SDK Key and Secret (app developer’s account).

Apps in which end-users are not meeting hosts do not require ZAK to start meetings.

ZAKs have an expiration time of 2 hours, from the time of the response. Accounts with “API User” members have expiration times of 90 days.

If a meeting is started without a ZAK, the user will join the meeting as a participant. Starting a meeting with a ZAK joins the user as a host, with all controls available to meeting hosts.

Request user’s ZAK

To request a User’s ZAK, send a GET request with a userId to /users/{userId]/token and specify type=zak in the body of the request. (If a type is not specified, the default response will be Zoom Token). API Reference.

A User ID can either be a userID requested through the Users API or the user’s email address.

Refresh ZAK

ZAKs have an expiration time of 2 hours, starting from the time of the request.

ZAKs are refreshed by making the same request for the user’s token. /users/{userId}/token

Tip: The ZAK token response does not include a timestamp field. Create a timestamp when the request is made to track when to refresh the token.

Best practices

It is highly recommended to handle your SDK Key and Secret and generate JWT in a backend server to be consumed by your application. Do not generate or store SDK credentials and JWT in a production application.

Zoom SDKs support JWTs generated with JWT.io libraries. While other libraries can create JWT, these recommended libraries are the most robust.

We also recommend this post from Auth0 on A Look at The Draft for JWT Best Current Practices.

Technical specifics of JSON Web Tokens can be found at JWT.io.