Deauth compliance

We are in the process of getting our app ready for publishing and I am looking at deauth compliance requirements. I see that we are required to supply a webhook where a user can deauthorize from zoom and it takes care of it in our app. We also give the user the option to deauthorize their zoom account from our app. We follow compliance and delete all related recordings on the users request but I don’t see a way to notify zoom compliance that it is complete. Since the user initiated the deauth with us, we don’t get the deauth information (signature) from the webhook so we don’t have the required fields to send the compliance message. Am I right to think the compliance complete call to zoom is only required if the user initiates the deauth from zoom?

Hey @lucas_hyp,

The proper flow to deauth on your end, is to call the Revoke Access Token endpoint when the user clicks a disconnect Zoom button (or something similar) on your site. Then you will receive a webhook sent to your Deauth URL, where you will then send the compliance call to Zoom. :slight_smile:

Does that make sense?


I have to say that these are one of the most strangest requirements I’ve seen from any API integration. Our desktop app, for instance, is a standalone app that does not communicate with our server. No data or account info or related preferences are ever saved. We simply allow users to disconnect their zoom integration from within our app. We don’t have the ability to setup Webhooks since there’s no backend server running tracking users / their accounts etc.

On top of this, the Documentation page for the Compliance call is poorly written. It does not indicate what most of the request parameters are, such as “signature” - where do we get that from? I gather we need to package up a dictionary and POST it to the server.

Also - we can only do this from within the app at max and not from our web server. This is a confusing needless requirement for stand-alone desktop apps that only integrate a partial set of the API. This should remain a non-mandatory requirement for such apps in my honest opinion.

To summarize - our desktop app has no link with our server. We have no back-end that stores user data or even knows who installed the app and how they’re using it. There’s no way for us to follow this “two step” data compliance API. We can make a call from our app to Zoom the moment they remove the integration, but the second call from our server to Zoom is impossible.

These guidelines need to be reconsidered. Our app already integrates with Google / Microsoft / Exchange / iCloud and we follow industry standards when it comes to protecting user privacy and removing user-sensitive details when the integration is removed. There is never a requirement to have a back-end web server with an active web-hook that somehow knows how to connect back to a potentially offline desktop app.

I’d be happy if there’s a way to call this deauth end-point ONCE and be done with it at the point of removal from within our app. That’s easily done, since we only store user data in the keychain on the mac and delete it once the integration is removed.

Please help as our app is stuck in this phase of the review process for over 2 weeks now. Our competitors seem to have integrated with zoom last month and somehow got away with this otherwise impossible to implement requirement.

Hey @fahad.beehive,

Let me help clear things up! :slight_smile:

In your case, when a user uninstalls your app via the marketplace:

Then, a webhook will be sent to your server containing all the necessary data (including the signature) for you to make the Deauth request. Your frontend and backend don’t need to look up any user data. :slight_smile:

Does that make sense? :slight_smile: If not, happy to hop on a Zoom call to explain further.


Thanks Tommy, that makes sense, all working now.

1 Like

Happy to help! :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.