Developing a Zoom App with Secure Multi-Tenant Data Separation

I’m developing a Zoom App that connects to our company’s CRM system, displaying contextual information (e.g., past orders) for active Zoom Phone calls.

My goal is to design this as a scalable integration that could be listed on the Zoom Marketplace, allowing multiple companies to use it while ensuring strict data separation.

How the App Works:

1. Webhooks from Zoom will send call details (e.g., phone numbers) to my external app server.
2. The Zoom App (within Workplace) will use the Zoom Phone SDK to retrieve the call ID.
3. The app will make an API request to my server to fetch relevant CRM data.

Security Concern:

The API call from the Zoom App to my server needs to securely authenticate the user and ensure they can only access call data related to their company.

What is the best approach to achieve this multi-tenant data separation while maintaining security?

Any recommendations on authentication strategies or existing Zoom features that can help with this would be greatly appreciated!

If you store your customers with guids and you’re programmatically creating webhooks, perhaps you could ceeate each webhook to include a shortened guid, and pass that through the workflow. Your server would then only seek appropriate CRM data that’s associated with the (un-shortened) guid in question. It’s not the best answer but at least provides a predictable route and some level of filtering.