App Integration for Recordings & Transcripts

API and Webhooks Cloud Recordings
1

We are evaluating options for securely accessing Zoom cloud recordings and transcripts for internal analysis purposes. Before we move forward, we want to confirm the most secure and least-privileged Zoom-approved method for this type of integration.

Background

Our internal requirements involve programmatically accessing recordings and transcripts for very specific meetings only (not the entire Zoom account). Since this has security implications, we want to ensure we use the correct Zoom architecture from the start.
sen
What We Need From Zoom

We are requesting guidance on the following:

⸻

  1. Server-to-Server OAuth (S2S) — Is it the only option?

We understand that Server-to-Server OAuth apps provide the ability to use admin-level scopes such as recording:read:admin.

However, before pursuing this path, we want Zoom to confirm:
• Is S2S OAuth the only method to securely retrieve cloud recordings at an account or group level?
• Is there any other Zoom-supported integration option that would allow restricted access (e.g., group-limited, user-limited, or meeting-template-limited), without granting broad admin privileges?

⸻

  1. Least-Privilege Access

If S2S OAuth is required, does Zoom support:
• Limiting access to recordings based on Zoom Group
• Limiting access based on specific users
• Limiting access based on roles
• Filtering recording.completed events so we only receive the subset we need

We want to avoid providing account-wide access if there is a narrower model.

⸻

  1. Alternative Approach — Meeting Bot / Note-Taker Bot

Does Zoom offer or support an internal method where an automated bot can:
• Join selected meetings
• Capture the audio and transcript directly
• Avoid the need for recording:read:admin API calls altogether

We are open to implementing this approach if it results in a more secure and isolated architecture.

⸻

  1. Recommended Security Architecture

Given our requirement — internal analysis of only certain meetings — we would like Zoom’s recommendation on:
• Best practice for securely accessing recordings for a subset of users/meetings
• Whether Zoom provides a way to scope recording access to specific categories
• Any additional controls or features Zoom recommends for minimizing exposure

⸻

  1. Marketplace Developer Permissions

At the moment, our role does not have access to create a Server-to-Server OAuth app. Before we request those permissions from our account owner, we need Zoom to confirm that S2S is indeed the appropriate and most secure integration method.

⸻

Goal

Our objective is to define a Zoom-approved, least-privileged, secure model for retrieving only the recordings we need — no more, no less.

2

S2S is not the only option for recordings; a General OAuth app with granular cloud recording scopes is also Zoom-approved. In practice most “least privilege” setups use an account- or user-level OAuth app plus webhooks, not S2S.

With respect to least-privilege access, Zoom does not let you scope access directly to specific groups or roles, so you enforce that in your backend using user/group APIs. For webhooks like recording.completed, you filter events yourself by host, group or meeting metadata

Alternatively, you could use a Zoom Meeting Bot API to send bots to individual meetings with only a meeting link. The data the bot captures will also only be scoped to that meeting and would provide you the audio/video/transcripts

1 Like
3

Thank you so much, this was super helpful!