We do not see the granular scopes expected within the developer console.
In particular, we’re looking to enable the following:
recording:read:admin,recording:read
user:read:list_recordings,user:read:list_recordings:admin,user:read:list_recordings:master
What setting on the Admin side needs to be enabled for this to appear on the developer console side? (I’ve found other posts about this in the forum, but none that show the solution, thanks.)
FWIW, enabling the scopes that seem correct (cloud_recording:read:list_recording_files:admin,cloud_recording:read:list_account_recordings:admin,cloud_recording:read:recording:admin, cloud_recording:read:list_user_recordings:admin) is sufficient for listing and retrieving recordings for some user accounts but leads to 4711 errors when attempting to access other user accounts (Invalid access token, does not contain scopes:[ cloud_recording:read:list_user_recordings, cloud_recording:read:list_user_recordings:admin ]) . This seems like a bug?
Hi @gianni.zoom I see that you responded to a couple of other posts regarding granular scope and I am hoping that you could take a look at our issue as well!
Hi @rita.curti ,
As I am myself struggling with recording deletion issues in a production setup, and have the scopes you mention in our configs, I dug a little, and here’s my understanding on the situation.
In March 2024, Zoom changed/evolved its scope system, and we have now “Classic” and “Granular”.
The recording:read:admin and alike are part of the Classic/old scopes, and aren’t available anymore if you recently (i.e. past March 2024) created an app in the Marketplace/Dev console. I checked and tested in our account:
But it would appear that Zoom has not updated its API documentation to those new Granular scopes. So we’re stuck with doc that only mentions “Classic” scopes, and an app config that only shows “Granular” ones. As your post shows, that certainly isn’t helping.
Edit: Actually, some endpoints mention scope+granular, and others only have the (old) scopes… On top of that, the “Granular scopes” doc only gives a partial list of available new scopes.
As @ch-a3n points out, you may want to try, browse and select scopes based on what you’re looking to achieve, as the ones I’ve looked at seem rather self-explainatory.
Hi @rita.curti can you please confirm if you have a master-subaccount structure? If not, you are using the wrong endpoints.
If this is your account structure, the permissions to access these endpoints need to be provided for the user role who is querying the Zoom APIs.
The first link says enabling for Server-to-Server OAuth apps, but the directions apply to General Apps as well.
Hi @ch-a3n , are those users external to your account?
What app-type are you using and when was it created?
Is it an internal app (server-to-server), unlisted (approved for access to external accounts but not on the marketplace), or published app (approved for access to external accounts and on the marketplace)?
Hi @it_epsn , thanks for adding this part. Did locating this information help you to resolve your issue?
Hi @gianni.zoom - confirmed we have the master-subaccount structure.
The role is already assigned the ability to manage the sub-account “with the same privileges as this account”.
Hi @rita.curti ,
The scopes you shared are our legacy scopes. Could you please clarify the following:
Hey @gianni.zoom ,
This an internal server to server oauth account and the users we receive permission errors are internal users. They are not in a different subaccount either.
To your response on @rita.curti’s question, the scopes she listed are on the scopes supplied by the api documentation: /docs/api/rest/reference/zoom-api/methods/#operation/recordingsList
We are use a newer application that requires the granular scopes, but we are unable to find the appropriate scopes in the admin panel.
To sum up:
cloud_recording:read:list_recording_files:admin ,cloud_recording:read:list_account_recordings:admin ,cloud_recording:read:recording:admin , cloud_recording:read:list_user_recordings:adminInvalid access token, does not contain scopes:[ cloud_recording:read:list_user_recordings, cloud_recording:read:list_user_recordings:admin ] ) AND the scopes listed in the API documentation. cloud_recording:read:list_user_recordings:admin was already enabled and we could not find cloud_recording:read:list_user_recordings presumably because this is an account scoped app vs a user scoped app. We also could not find any of the scopes listed in the API documentation.This leads me to two conclusions:
@ch-a3n can you let me know when was the app created? was it created after March 30th? Also, your server to server OAuth app will show you admin scopes since its an admin level app. But I agree with you that we need to fix this in our documentation and we will work with the correct team.
Hey @ch-a3n @it_epsn @rita.curti @kara.enomoto I created a new S2S OAuth app with master sub account structure and all permissions enabled and was able to reproduce what you’re describing. I opened a ticket (ZSEE-131411) for this fix.
Thanks Gianni! How can we track the status of this ticket? When i plug it into the search bar, I am unable to see it.
Hi @kara.enomoto , this is an internal reference for other Zoom technical staff, but I will share updates on this thread as they become available.
Hi @kara.enomoto @ch-a3n @it_epsn @rita.curti @ojus.zoom ,
Apparently our documentation for the error was incorrect and the missing granular scope is cloud_recording:read:list_user_recordings: admin. I’m waiting to hear clarification on if the error code will also be updated for the endpoint to confirm if it is working for you now.
Please add this scope and try the endpoint.
Hi all, please let me know if it is working.
Hi, Gianni. It isn’t working yet
Hi @Manuel2 , can you please clarify if you added cloud_recording:read:list_user_recordings: admin with correct user permissions/role enabled? Asking for clarity since you were not a part of the original correspondence.