API Permissions tied to a user

We have a Zoom market place application which uses OAuth to connect to a Zoom account at Account level.

We have had a couple of cases recently whereby we get failed API calls due to permissions. Our original understanding was that once the connection had been made, and we had an access token this was for the account and should continue working based on the scoped permissions. Is this correct? Or is the access still in someway tied to the account of the person who connected it in the first place?

For example you have two sysadmins, one of them setup their organisations account to use our integration. This sysadmin then leaves the business and their account is removed. Should the integration keep working as its an account level one? Or would the 2nd sysadmin then need to re-link their account via marketplace?

Many thanks,
Fraser

Hi @fraser,

Thanks for reaching out about this, and happy to help clarify!

To that end, you’re correct that when a admin or owner authorizes your account-level app, the access_token you retrieve will have access to their account, limited to the scopes your app leverages.

In regard to the scenario you’ve outlined, if the original user who installed the app (admin 1) had their account removed, you would want to ensure that a new admin reinstalls the app to ensure that the app functions as intended and has access to the account.

So, the answer here is two-fold: your app needs to have the scopes for the information you wish to access, and the account needs to have an active admin associated with the authorization/installation.

Let me know if this helps to clarify. :slight_smile:
Will

Thanks for clarifying, so in another scenario where perhaps the user who connected the app is moved into another group or their permissions are changed, this could effectively break the integration too?

We’ve had a couple of cases recently where integrations broke and it wasn’t clear why the API requests suddenly started giving errors like ‘user not found’ or no permission. A few things lead us to think it was somehow related to the initial users permissions.

Surely if you authorise at a company level though, the user account making that initial connection should affect things really. Is there a way to protect from breakages to the connection in these cases? Or is it something we just need to warn our customers about?

Hi @fraser,

Good questions—happy to clarify.

That’s correct, if a user is changed from an admin role to a member role, for instance, this could affect an account-level integration.

We recommend making it clear to your end-users, or perhaps including in your documentation, that is the admin who originally installed the integration is changed to a member role or their account is removed, they will need to reinstall the app.

Let me know if you have any other questions about this.

Thanks!
Will