Hi all,
I’m preparing to submit three apps for Marketplace review and want to make sure I’m fully compliant with the deauthorization webhook requirements. Two of the apps are user-managed (one is OAuth2) and the third is admin-managed.
Reading through this thread (https://devforum.zoom.us/t/complete-process-of-deauthorization-and-what-next/102055) and others, I see the typical guidance is to (a) revoke the user’s access token via /oauth/revoke, and (b) clear the user’s data on our side. I want to make sure I understand the requirements correctly and have a few specific questions:
-
Documentation pointer: Is there an authoritative doc (beyond the general App Review Guidelines) that spells out exactly what “compliant” deauthorization handling looks like? I want to be sure we’re meeting both the technical and legal/data-handling expectations.
-
Token revocation when tokens aren’t stored: Today our apps do not persist Zoom access tokens server-side — we use them transiently at sign-in and discard them. Does the deauthorization requirement to “revoke the user’s access token” imply we now need to persist tokens specifically so we can revoke them on the webhook? And separately: when a user uninstalls our app from their Zoom client, does Zoom invalidate the access token / OAuth grant on its end as part of that flow, if so, would that be sufficient or is the app responsible for the revoke call regardless?
-
Scope of “clear user data”: When the webhook fires, what’s the minimum compliant action on our side? Specifically, does this mean clearing only the linkage between our user record and the Zoom identity, or are we expected to delete the user record entirely (or some subset of derived data)?
Any pointers to canonical docs, prior reviewer guidance, or examples would be much appreciated.
Thanks!