However, these scopes are not visible in the Server-to-Server OAuth app scope selector in the Zoom App Marketplace.
I do have admin-level access and we have Zoom Phone active with multiple phone numbers and SMS campaigns configured. We’ve also created a Programmable SMS service endpoint.
Questions:
How can I get access to these hidden scopes?
Do these scopes need to be manually enabled by Zoom?
Is there a recommended process or contact to request activation of these scopes?
Something else to note is that the granular scopes listed appears to be read permission instead of write, potentially a mistake from copy/paste from a different endpoint:
Hi @tamn and @Xcash
Thanks for your patience here.
Our Engineering team just confirmed that there is an inconsistency in the documentation, particularly with the scopes listed. We’ll reach out to the PM and work with them to clarify the scopes.
I’ve tested this endpoint, and it works using the scopes listed in the docs. However, there is a caveat: the sender field is not marked as required only the phone_number within that object is. So, please make sure to include the sender field with both phone_number and user_id.
I’m working internally to get this fixed.
They also don’t show up for the server-to-server app.
This means we can’t really test whether the correct scope works with or without the caveat, as we can’t add the scopes to our applications in the first place.
Hi @tamn thanks for sharing that with me… I can see the scope phone:read:sms_message in the screenshot you shared, it is the 2nd scope listed there. Can you try adding that and testing the endpoint again please
It would not be possible for us to test the scopes listed.
Now, as for using the granular scope phone:read:sms_message, I can confirm that this works.
However, the scope clearly implies READ permission, as it is described as
View all users’ phone information
└── View an SMS message (phone:read:sms_message)
Does this mean any apps we have given strictly READ access to SMS in the past have also, undesirably, granted WRITE permissions?
Should this not instead be considered a bug/security issue?
If so, and if there are plan to fix the scopes, then I assume there’ll be a breaking change released and new apps that depends on phone:read:sms_message granting WRITE access will need to be altered.
Hi @tamn
Sorry for the confusion, I was referring to the scope phone:read:sms_message
I just heard back from our Engineering team about the scope, and we understand it’s quite confusing for a POST API request to use the phone:read:sms_message, I was informed that this is by desgin and we won’t be changing this to a new granular scope at this time. However I have asked for more clarification and also requested to add the appropiate scope.
Thanks @elisa.zoom - I’m more concerned about the security aspect of this.
It seems completely natural for someone to grant this scope to provide users the ability to READ SMS messages, not intending (or expecting) them to actually be able to send messages, and having no way to restrict this through scopes.
