I feel like I might be misunderstanding some of the mechanics of account-level OAuth apps, and how they’re meant to be used.
I know that account-level apps need to be installed to a Zoom account by an admin (or a user with permissions for all of the required scopes + marketplace). Does this enable other, less privileged, users on that account to perform actions through the app that they would not otherwise be able to perform? For example, if the app had the user:write:admin scope, could anyone then manage users through that app?
Which user(s) need to go through the OAuth flow, and which token(s) are being passed to the API? Is there just a single access token for the admin user who installed the app? Or do individual users all need to go through the authorization process to generate their own access tokens?
As background: we’re hoping to create an integration between our product and Zoom. Our customers are organizations that may have a number of individual users who will be set up in our system and in the customer’s Zoom account. Some of the content these users will be managing in our system can have an associated meeting in Zoom. For convenience, we’d like to be able to give all users the ability to manage all of the meetings created for that customer, regardless of which individual created them.
It seems like the ideal thing would be to create an account-level OAuth app that the customer would install once, and would enable all of the customer’s users to manage all of their meetings. But some of my experimentation has me questioning whether I really understand how this works.
Thanks for reaching out about this—good questions. Happy to help shine some more light on this for you.
First, regarding:
I know that account-level apps need to be installed to a Zoom account by an admin (or a user with permissions for all of the required scopes + marketplace). Does this enable other, less privileged, users on that account to perform actions through the app that they would not otherwise be able to perform? For example, if the app had the user:write:admin scope, could anyone then manage users through that app?
No—if an account level app is authorized by an admin or owner on the account, this does not give individual users on that account any additional access. When an admin or owner authorizes an account level app, it provides the OAuth App owner access to the authorizing account, within the limit of the scopes of the app.
Which user(s) need to go through the OAuth flow, and which token(s) are being passed to the API? Is there just a single access token for the admin user who installed the app? Or do individual users all need to go through the authorization process to generate their own access tokens?
For an account level app, only an admin or owner needs to authorize the app. This will then give the integration access to their account, based on the account level scopes. For a user level app, individual members on the account would need to each authorize the app.
Thanks, @will.zoom. So it sounds like the kind of integration we’re trying to achieve is going to require a user-managed app so that all of those users can be individually authorized, and those users will need to be set up so that they have permissions to manage each other’s meetings. Would you agree?
(I’ve also seen some examples where vendors seem to be instructing their customers to create JWT apps on the customer’s Zoom account. Other than the complexity of walking non-technical folks through that setup, the simplicity of a single non-expiring key seems awfully attractive.)
