SDK Authorization


The Zoom Meeting SDKs use an SDK Key and Secret to generate an SDK JWT for authorized use of the SDK:

On This Page

Get SDK Key and Secret

To get an SDK Key and Secret, go to the Zoom App Marketplace and sign in with your Zoom account. If you do not have a Zoom account yet, you can create one.

Click Develop and choose Build App. On the SDK app type, click Create.

After completing the SDK App setup, go to App Credentials where you will find your SDK Key and Secret.

Now that you have an SDK Key and Secret you are ready to generate an SDK JWT.

Generate the SDK JWT

Each request to start and join a Zoom meeting or webinar must be authorized by an encrypted SDK JSON Web Token (JWT). A SDK JWT must be generated each time you join a meeting or webinar through a backend (server-side) function where your SDK credentials can be stored securely.

JWTs are generated with three core parts: Header, Payload, and Signature. When combined, these parts are separated by a period to form a token: 1111111.2222222.3333333.

Header:

The Header includes the specification of the signing algorithm and the type of token.

KeyValue
algHS256
typJWT
{
"alg": "HS256",
"typ": "JWT"
}

Payload:

The payload of a JWT contains the claims of the token, or the pieces of information being passed about the user and any metadata required. Some fields are required for Web SDKs, but optional for Native SDKs, and vice versa. See the table below for details.

KeyValue Description
appKeyYour SDK Key. Required for Native, optional for Web.
sdkKeyYour SDK Key. Required for Native, optional for Web.
mnThe Zoom Meeting or Webinar Number. Required for Web, optional for Native.
roleThe user role. Required for Web, optional for Native. Values: 0 to specify participant, 1 to specify host.
iatThe current timestamp. Required.
expJWT expiration date. Required for Web, optional for Native. Values: Min = 1800 seconds greater than iat value, max = 48 hours greater than iat value. In epoch format.
tokenExpJWT expiration date. Required for Native, optional for Web. Values: Min = 1800 seconds greater than iat value, max = 48 hours greater than iat value. In epoch format.
{
"appKey": SDK_KEY,
"sdkKey": SDK_KEY,
"mn": MEETING_NUMBER,
"role": ROLE,
"iat": 1646937553,
"exp": 1646944753,
"tokenExp": 1646944753
}

Signature:

To create a signature for the JWT, the header and payload must be encoded with the SDK Secret through an HMAC SHA256 algorithm.

ValueValue Description
SDK_SECRETRequired, your SDK Secret.
HMACSHA256(
base64UrlEncode(header) + '.' + base64UrlEncode(payload),
SDK_SECRET
);

Example SDK JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZGtLZXkiOiJhYmMxMjMiLCJtbiI6IjEyMzQ1Njc4OSIsInJvbGUiOjAsImlhdCI6MTY0NjkzNzU1MywiZXhwIjoxNjQ2OTQ0NzUzLCJhcHBLZXkiOiJhYmMxMjMiLCJ0b2tlbkV4cCI6MTY0Njk0NDc1M30.UcWxbWY-y22wFarBBc9i3lGQuZAsuUpl8GRR8wUah2M

Node.js generate SDK JWT function

In the sample Node.js generate signature function below, we use jsrsasign, an open source cryptographic JavaScript library.

const KJUR = require('jsrsasign')
// https://www.npmjs.com/package/jsrsasign
function generateSignature(sdkKey, sdkSecret, meetingNumber, role) {
const iat = Math.round((new Date().getTime() - 30000) / 1000)
const exp = iat + 60 * 60 * 2
const oHeader = { alg: 'HS256', typ: 'JWT' }
const oPayload = {
sdkKey: sdkKey,
mn: meetingNumber,
role: role,
iat: iat,
exp: exp,
appKey: sdkKey,
tokenExp: iat + 60 * 60 * 2
}
const sHeader = JSON.stringify(oHeader)
const sPayload = JSON.stringify(oPayload)
const sdkJWT = KJUR.jws.JWS.sign('HS256', sHeader, sPayload, sdkSecret)
return sdkJWT
}
console.log(generateSignature(process.env.ZOOM_SDK_KEY, process.env.ZOOM_SDK_SECRET, 123456789, 0))

For additional JWT libraries and examples in more languages, see JWT.io.

You are now ready to join Zoom meetings and webinars with the SDK.

Continue to OAuth with Meeting SDK for instructions on starting Zoom meetings and webinars on the Meeting SDK with a Zoom user's ZAK token.

OAuth with Meeting SDK

The SDK App type has OAuth credentials and scopes. The scope to get a Zoom user's ZAK token is called user:zak_read. The meeting:write and meeting:read scope is also useful if you want to manage meeting flows programmatically using Meetings APIs, but it is not required to start a meeting on behalf of a Zoom user.

Zoom OAuth supports Zoom login, SSO, and signing in with Apple, Google, and Facebook.

Server (Web or Native)

To complete the OAuth flow with a backend server, where you can use your web-based application to manage the redirect after a successful user authorization, follow the Zoom OAuth guide.

PKCE (Native)

To complete the OAuth flow without a backend server, using your Native Meeting SDK app with a non-https private-use URI scheme to the Zoom service with a code verifier and code challenge, follow the Zoom OAuth PKCE guide.

Now that you have an access_token you are ready to get the user's ZAK token.

Get a user's ZAK token

After a user completes the OAuth2 authorization flow, you can use their access_token to call the Get User Token API. The user's ZAK token can then be passed into the Meeting SDKs to start the user's meeting or webinar.

When you use GET /users/{userId}/token, ZAK tokens expire in two hours. It is best practice to get the ZAK token right before you start the meeting. As a reminder on Web, the Zoom API must be called from a backend service.

Endpoint:

GET https://api.zoom.us/v2/users/me/token?type=zak

Request Header:

{
"Authorization": "Bearer {{access_token}}"
}

Response Code: 200 OK

Response Body:

{
"token": "abc123"
}

Now that you have a ZAK token you can use it to start the Zoom user's meeting or webinar with the Meeting SDKs. See the platform specific Meeting SDK References for instructions on how to provide the ZAK token to the SDK.

See Supporting OAuth in your SDK app for a more thorough walkthrough that shows how to support OAuth, using the iOS SDK sample app as an example.

Need help?

If you're looking for help, try Developer Support or our Developer Forum. Priority support is also available with Premier Developer Support plans.