Allowing others to spoof host using start link

I’m developing a company internal app that integrates with zoom API. Some meetings I created via API with a service account I was able to spoof and start the meeting as the service account. Recently this has been blocked by an authentication error. The docs around spoofing into accounts with the start_url link are unclear.

I would like other users with the start meeting link to be able to spoof the account and act as host. The workaround we are using right now is to have people join the meetings as attendees and then claim host using the account host key. This is not a great solution because the host key is tied to the account (not each individual meeting), so it’s just a matter of time before the key is leaked. Recordings will also not be stored to the service account in this case. If there is a config where we can have a unique host key for each meeting, that would be an acceptable solution.

I tried using alternative hosts but all hosts need to be in the same parent account which won’t work for our case. The start_urls are kept secret internally so I’m not worried about letting any zoom user start the meeting.

additional notes: the meeting start_url includes a zak token. it is different than the user’s zak token. i tried passing both into the url and neither work, they give me the authentication error in the screenshot. tokens are definitely not expired either.

also for reference, this is not a meeting SDK app, it’s a simple server-to-server oauth app

Hi @arthur.he, if this is an internal account app, you should create meetings for the users/emails that you are intending to host the meeting, or add them as co-hosts to the meeting.

Start URLs include user ZAK tokens. These help the Zoom . us domain know to validate the user’s login as the intended host, but do not bypassing login flows, as this check happens on Meeting join.

The ISV Partner Program provides accounts with enhanced features to allow host identity to be passed from start URLs, this may be something you want to explore if you are providing Zoom services to your customers. If this is an internal app for users on your account, I’d suggest a conventional login flow with co-host permission for the Meetings.

hey Michael, thanks for the response.

Unfortunately I cannot guarantee the intended hosts share the same email domain as the integrated account. The need is for them to still be able to start the meeting and have host controls.

I have no need to embed the zoom client into my website. Do I still need to go through the ISV program to get the start_urls that can pass host identity or is there some workaround I can do with my current plan?

For example, is there a feature where each meeting has a unique host key?

@michael.zoom can you provide additional guidance?

Also is there a way to host concurrent/simultaneous meetings from the same user? https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0067266 this toggle doesn’t seem to exist on the account…

Ah, thanks for tagging me @arthur.he, apologies, I didn’t see the reply.

You don’t need to embed the Zoom client into your website/app; many partners just use a start_url to launch the standard Zoom app.

If you are providing Zoom host features to your users/customers, you’ll need to be in our partner program for the commercial agreement and technical functionality.

Concurrent meetings are available for Business/Enterprise accounts to allow for back-to-back meetings, rather than the sharing of host permissions across users. You will need to create meetings for the users/emails you intend to host the meeting, either through an OAuth app that they authorize into the Zoom account they use for their email, or join our ISV Partner program to provide host features to their accounts.