BUG downloading cloud recordings with access token set results in an invalid response

Yep, did that too! Unfortunately this does not bypass password protected files and private ones, it only works on public files.

The webhook with a download token bypasses this.

Ah, interesting. Ok, can you tell me which scopes your tokens have on it? Also, is this a JWT or OAuth implementation? Account Level or user Level?

OAuth on the user level.

Scopes are

  • meeting:read
  • meeting:write
  • recording:read
  • recording:write
  • user:read

Looks like it’s a bug as you suspected. Thank you for working with me to give me additional details. I raised this internally with our eng team for a resolution.

In case you work with someone else in the future you can reference DEVELOPERS-286 as the ticket for tracking.

1 Like

In the meantime, I have tested and you can use JWT instead of OAuth tokens to get this done. :slight_smile:

Hi, I have the same issue using JWT token for non-public recordings. I’m getting 401 HTTP. Is there any way to download non-public recordings with JWT token?

@patricio.giacomino,

can you please provide some more details on your error?

It’s been a month since reporting, any updates on this?

@matt,

Thank you for your patience. We are still waiting on resolving this error.

Thanks!

What is the status on this? It has once again been another month and no update.

Hi Matt,

Our engineers are working currently to see if we can add this as a feature request.

As a work around, we recommend you JWT token to download recording file.

Apologies for the inconvenience caused.

Thanks!

I don’t think this bug should be considered a “feature request”.

We’re attempting to build an OAuth user-managed application that can access a user’s recordings. From my understanding, a JWT is not a an option for us.

4 Likes

@patricio.giacomino, @matt, @ryan

As of now to download a private or password protected cloud recording you must use a Zoom JWT App Type.

Use the download_url from the Get Recordings Endpoint or the download_url from the Recording Completed Webhook and add the access_token query param to the end of the url with your JSON Web Token as the value.

Example:

https://api.zoom.us/recording/download/{{ Download Path }}?access_token={{ JWT Token }}

19%20PM

The only way to use OAuth to download a cloud recording is to have the “Share cloud recordings only with members of my account” set to off. Then you can use the download_url to download the file with no auth required.

43%20PM

We apologize for the confusion and inconvenience. We have a ticket to allow OAuth private recording downloads in our backlog. Stay updated here.

Thanks,
-Tommy

1 Like

Thanks for the clarification, we’ll look forward to the functionality being added to OAuth apps.

1 Like

You are welcome, happy to help!

+1 for adding this feature so that Oauth users can reliably access the download links

Thanks @debra. We will post to our changelog once this feature becomes available.

Also looking forward to this functionality being added to OAuth apps.

The current behavior is also a problem for OAuth apps if you ever miss the Recording Completed webhook (due to network issues, etc.) because we will then miss the download token and we don’t ever get a new one. Or am I missing a scenario where we might get it some other way?

1 Like

Thanks @zoom-test, we will post here when this feature is available.

If you ever miss a webhook event, you can use the GET /users/{userId}/recordings or GET /meetings/{meetingId}/recordings to get them, then use the JWT token to download as mentioned above.

Thanks,
Tommy

Tommy,

Thanks for all the replies. Unfortunately I can’t use a JWT app because the app needs to be used by multiple accounts/customers, not just my own account so that solution does not work for my scenario since JWT apps are not publishable on the marketplace.

What is your route to filling this hole for OAuth app developers?

  • Add the download_token to those api responses? ( GET /users/{userId}/recordings or GET /meetings/{meetingId}/recordings) They are authenticated requests and would seem to be trustworthy.
  • Allow us to download the files by including a valid OAuth token in the Authorization header as part of the download request?
  • Or something else?