How do I limit the access our app has via the API?

I have successfully connected to Zoom via your API. I like it - nice job! I am receiving webhook calls and it works just as expected.

However, I notice that the script runs with the permissions of my user - that is it can make changes and access anything since I’m an Owner. I don’t want that - I want it to basically be read-only so that if there’s ever a breach, it can’t act as me and manipulate our zoom account.

So, I think I can create a user and add just the Roles I need. But that will use a seat, just to do normal security constraints. Am I missing something?

Also, I need to be able to test our app against the Webinar product and API, however, my account doesn’t have access to Webinar (only our sales and training people do). Is there a sandbox where I can start/stop webinars, make calls to gather data etc. without having to either coordinate with our sales & training folks or login as them (which I don’t want to do)?

Is there a way to get a “dev only” account for this kind of work?
Thanks
Bill

Hi @bbinko
Thanks for reaching out to us and welcome to the Zoom Developer Community!
You could use a Server to Server app and only add the scopes that you need, for example if you only want to query meetings, you should only add a read meeting scope. Each endpoint has its own scope so you should be able to make it very granular.