Description
What is the correct way to get OAuth access tokens for an API with service permissions (no need for user permission). We do not want to share JWT tokens between different applications so we stuck with OAuth. Our Zoom adminstrator has generated (tenant and shared secret and) the first token for us. But we do not see a way to get the tokens by only having the tenant ID and shared secret. What we do right now that we store the last token and the refresh token (which is a one-off token) in a database andd we invoke the refresh token when the actual is expired and save the new token to the database again.
Is there a better way to do this?
Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth
Which Endpoint/s?
How To Reproduce (If applicable)
Hi @gergely.jaczko all OAuth apps need to be installed onto a user account to retrieve and refresh access tokens.
Your workflow is the suggested use to store and update both of these tokens.
Hi Michael,
thanks for your reply. So in other words if we develop a web service to do changes in Zoom and we do not want to store tokens in our database we have to use JWT. Am I right? As far as I know there could be only one JWT app for a workspace. This would mean that we have to share credentials between different apps. Am I right? If this is the case this would impose risks in accessing, auditing and also it would violate the least privilege principal (as some apps do not need as many privileges as others). Is there any way to mitigate this?
Thanks, Gergely
Hi @gergely.jaczko,
Yes, an account only has one API Key & Secret, and should be shared between applications. We have some plans to expand capabilities and restrictions on JWT apps (API Keys), but we don’t have a timeline on these improvements.
For user & application scoping, we recommend OAuth. As above, this would mean using an access token to make requests, and storing the current refresh token along with user records.