Clarification Needed: Meeting SDK Authorization for Anonymous Attendees Joining External Meetings

Meeting SDK Web
1

Hi,

We need clarification on the upcoming March 2, 2026 authorization requirements for our Meeting SDK implementation.
Our Current Setup:
We have a General App (Meeting SDK) registered in our Zoom Marketplace account
The SDK is embedded in our web application for virtual meetings
We use JWT signatures for SDK authentication
Our Use Case:
A meeting host creates a meeting using their Zoom desktop app
The host pastes the meeting ID into our web application
Residents (attendees) click “Join” on our website and join the meeting through the embedded SDK
Residents do not have Zoom accounts and do not log in to Zoom - they join anonymously with just a display name
Residents are real human participants, not automated bots or recording apps
The Complication:
Some of our clients use their own Zoom accounts (not ours) to host meetings. This means residents would be joining meetings “outside our app’s Zoom account.”
Our Concern:
After reviewing the documentation, neither ZAK nor OBF tokens seem suitable for our scenario:
ZAK tokens require users to have Zoom accounts - our residents don’t have Zoom accounts
OBF tokens are described as being for “automated participants” and “assistant apps” - our residents are real human attendees, not bots
Our Question:
What authorization method should we use for real human users (without Zoom accounts) joining meetings hosted outside our app’s Zoom account via the Meeting SDK?
Thank you for your guidance.
Best

2

For meetings hosted outside your app’s Zoom account, Meeting SDK joins must be user-attributed starting March 2, 2026 - Zoom explicitly says “Anonymous joins will no longer be supported” for external meetings when joining with the Meeting SDK. In practice that means “JWT signature only” isn’t enough; the join must be authorized with either a ZAK token (Zoom Access Key) or an OBF token (On Behalf Of token).

If your residents truly have no Zoom accounts, there isn’t a supported way to keep them “anonymous” and join external meetings via the Meeting SDK, because Zoom requires the attributed user to be a Zoom user and present (reusing a service/shared user won’t work) as described by Zoom staff here.

Your realistic paths are: (1) require residents to authenticate as Zoom users and join with their own ZAK, or (2) only embed meetings hosted in the same account as your SDK app and send external meetings to the standard Zoom join flow; if you do embed external meetings, you’ll need OAuth to fetch OBF via the user:read:token scope as noted in Zoom’s FAQ excerpt here.

For a deeper dive, take a look at Recall.ai - we’ve supported thousands of developers working through these exact implementation details