Scope cloud_recording:delete:recording_file:master does not seem to be available for Server-to-Server OAuth apps. There is however cloud_recording:delete:recording_file:admin, which I can’t understand what it does. When calling the API to delete a cloud recording file, even if the cloud_recording:delete:recording_file:admin scope is available, the API returns error that the cloud_recording:delete:recording_file:master is missing.
Hi @idressos, Zoom’s Primary (master) account APIs are for a primary account, which in practice is the parent Zoom account that manages one or more separate subaccounts. That is different from an admin, which is just a user role inside a single account. Zoom’s own role model is owner, administrator, or member. So “primary/master” describes an account relationship, while “admin” describes a permission level for a user. A primary account can have admins, but not every admin belongs to a primary account, and an admin on a regular account does not automatically imply subaccount management.
In Zoom’s granular scopes, cloud_recording:delete:recording_file:master appears to be the scope for a primary account, while cloud_recording:delete:recording_file:admin appears to be the scope for a normal account admin. In practice, a primary account is the parent account in Zoom’s Primary (master) account APIs model, where one account manages separate subaccounts. An admin is different. That is just a role inside a single account. So the split here is really parent-account access vs single-account admin access, not “more admin” vs “less admin.”
The confusing part is that Zoom’s docs do not clearly explain why the regular Meeting API recording-file delete flow would require the master scope instead of the admin scope, rather than the Meeting Master API flow. So the safest conclusion is narrower: the docs support a master vs admin scope distinction, but they do not fully explain this specific error.
If Zoom returns cloud_recording:delete:recording_file:master, that could be caused by the endpoint being used, the account’s primary/subaccount structure, or a Zoom-side issue, and it should be escalated with the exact endpoint, app type, token scopes, and account structure.
If you need a fallback, Recall’s Meeting Bot API can handle recording capture and retrieval across meeting platforms.
My app is of type Server-to-Server OAuth and is running on account-level. I think that is the maximum privilege level, I am not aware (and it is not specified in the docs) that there is something else above this.
In the account, my user is an administrator and has all privileges.
Zoom API is returning specifically:
Invalid access token, does not contain scopes:[cloud_recording:delete:recording_file:master].
When configuring the app scopes through the Zoom App Marketplace, there is no such scope available. There is only cloud_recording:delete:recording_file:admin - and I have granted that scope to the app.
To be honest this straight up just seems like bug.