Deauthorization flow

Hello,

I am in the process of getting my app on the marketplace approved. One of the last things I have pending is a deauthorization flow. Currently, for authorizing, there is a URL I can use in which a user is able to accept or deny a request for authorization. Is there a way to do something similar with deauthorizing? I have been looking everywhere and I cannot find a single article on how to do a proper deauthorization flow, so here I am asking with hopes that I can get this resolved ASAP!

Thanks in advance!

Hi @rmjuarez12 ,

You will have the deauthorization webhook sent to the deauthorization notification endpoint that you provide. You can then revoke the account/user’s access token prior to removing their data.

Let me know if the linked resources help to clarify things!

That part I do have done(except revoking access, that is pending). What I mean, is how do I go about the user removing the app. Do I have to just create a link from our webapp to Zoom to remove it from there? Or is there a way I can just call an API so that it is removed directly from my webapp?

@rmjuarez12 the user will remove the app themselves causing the deauthorization webhook to send to your endpoint. At that point, you revoke the user’s access token. Does that make sense?

@gianni.zoom - Ah ok. So let me see if this flow is what I should follow:

  • User goes to their settings page on my webapp dashboard
  • User goes to their Zoom settings
  • On the Zoom settings page, I provide a link to go to Zoom Marketplace, with a set of instructions on how to remove the app in there
  • User removes app from Zoom Marketplace(NOT my webapp dashboard)
  • My server receives a notifications to whichever endpoint I have specified
  • That endpoint should remove any data from our DB in regards to their Zoom, as well as revoking the access token.

Let me know if the above is correct. I just want to make sure it is, since I want to send it for review ASAP.

Hi @rmjuarez12 ,

The endpoint itself cannot remove data from your DB. Once you receive the notification to the endpoint, you can programmatically revoke the access token and remove their data :slight_smile:

Hmmm how can I get the access token from the notification endpoint? According to the Deauthorization docs, the response I get does not contain the access token. How can I get the access token to be able to revoke it AFTER the user has removed the app?

Hi @rmjuarez12 ,

Currently, best practice is to grab the access token during authorization. See below for outlined process: