We are planning to start the process of publishing our application to Zoom marketplace. We are developing an application which will be using account based OAuth flow. We are not going to be using per user based authentication flow and so we do not store any user information. Below are the two things that we store in our database:
- Refresh token provided by Zoom for each of our customer who authenticates using OAuth flow.
- Meeting ID of meeting created using the meeting APIs. This meeting id will be used in future to get fetch more details about the meeting. In our flow, our end users do not go to Zoom UI and the entire meeting creation flow happens via API. Once the meeting is created, we fetch the meeting details and share it with user in the email that is sent out from our system.
Below are the questions that we had:
- Since we are not storing any user information and our application is using account based OAuth flow, what data should we delete? Should we be deleting all the meeting ids from our database for that customer? Do we even need to do anything if we are not storing any user data in our database? The only data we have is meeting id and the details of the meeting that is sent in the email to the end user.
- We looked at the payload of the de-authorization endpoint and it contains fields like account_id, and user_id. But we do not store this information in our database. So how do we identify which account is this de-authorization request for? While searching on the forum, we came across below topic in which the user has posted similar issue. The solution is to decode the access token while authorization process is going on and fetch the account_id from it. Is this still a suggested approach or is there a better way? We do not want to increase scopes for our API.
- What happens if zoom never receives our data compliance request due to an issue? Should we retry?
- What happens if we never receive deauthorization request from Zoom even if customer has uninstalled our app?
Which App Type (OAuth / Chatbot / JWT / Webhook)?
Account Based OAuth
Data compliance: https://marketplace.zoom.us/docs/guides/publishing/data-compliance