Video SDK apps authenticate with Zoom through a pair of access credentials, SDK Key and SDK Secret, which are signed and communicated using JSON Web Tokens (JWT).

Obtaining SDK package and credentials

Login to the Zoom App Marketplace using your developer account, click the Develop option in the dropdown on the top-right corner and select Build App. Next, click the Create button and provide the required details.

After providing the required information, you can download the desired SDK package from the Download tab.

Locate your app credentials (SDK Key and Secret) in the App Credentials tab. Use these credentials to generate a JWT.

Generating JWT

Your app must be authenticated with JWT in order to create and join a session.

JWTs are generated with three core parts: Header, Payload, and Signature. When combined, these parts are separated by a period (.) to form a token: aaaaa.bbbbb.ccccc.


The Header includes the specification of the signing algorithm and the type of token.

alg refers to the algorithm being used. Zoom APIs and SDKs use HMAC SHA256 (HS256). The use of other algorithms may produce unexpected results.

typ refers to the token type: JWT.

  "alg": "HS256",
  "typ": "JWT"


The payload of a JWT contains the claims of the token, or the pieces of information being passed about the user and any metadata required.

app_key is the SDK Key found in the App Dashboard.

version should be set to 1.

user_identity is an available field to uniquely specify a user in your own system. The maximum length is 15 characters.

iat is the timestamp of the token in seconds identifying when the JWT was issued. The value of this field should be in long format and should not be a string.

exp shows the expiration time of the token in seconds since epoch. To process, the current date/time must be before the expiration date/time. Expiration times are limited to a maximum of two days (48 hours) from the current date/time.

tpc is the name of the session that the user is going to create or join. It cannot be empty and must be less than 150 characters. It can include the uppercase or lowercase English letters a to z, numbers 0 to 9, the space character, and the following symbols: !, #, $, %, &, (, ), +, -, :, ;, <, =, ., >, ?, @, [, ], ^, _, {, }, |, ~, ,.

  "app_key": "SDK_KEY",
  "version": 1,
  "user_identity": "User ID",
  "iat": 0, //Provide the current timestamp as the value of this field.
  "exp": 0, //Timestamp expiration date (Max: 2 days) in epoch format.
  "tpc": "Session name, cannot be empty (Max: 200 characters)"


To create a signature for the JWT, the header and payload must be encoded with the SDK Secret through an HMAC SHA256 algorithm.

    base64UrlEncode(header) + "." +

Important: Though JWT is protected against tampering, the information in these tokens can be read by anyone. Do not store confidential information or personally identifiable information (PII) in the payload or header elements of a JWT.

Best practices

It is highly recommended to handle your SDK Key and Secret and generate JWT in a backend server to be consumed by your application. Do not generate or store SDK credentials and JWT in a production application.

Zoom SDKs support JWTs generated with libraries. While other libraries can create JWT, these recommended libraries are the most robust.

We also recommend this post from Auth0 on A Look at The Draft for JWT Best Current Practices.

Technical specifics of JSON Web Tokens can be found at