We’re developing a Zoom app and have hit a conceptual roadblock regarding account-level vs user-level OAuth apps and how API calls work in the context of admin-managed apps.
We initially built a user-managed app, but we now want to use certain API scopes (like editing account settings) that are only available to account-level apps. And we are confused if converting our app into an account-level app should do it.
The problem is somewhat similar to what is listed here: link
The question remains unanswered: to access the end point to create meeting on John’s account, do we use the admin Alex’s token? Or something else?
How exactly do we get tokens for non-admin users like John in an account-level app?
Let’s say:
Admin Alex installs the account-level app.
User John (under the same Zoom account) wants to schedule a meeting from our app.
We want to call: POST /users/john@company.com/meetings
Our core question is:
Whose access token do we use?
Alex’s (the admin who installed the app)?
Or John’s (even though he never directly authorized the app)?
And if it’s John’s, how do we get it, given only the admin authorized the app?
This has implications for how we handle tokens and whether we need to build logic for per-user token storage or use a single admin token.
Any clarification would be appreciated. A detailed explanation or link to official documentation would also help.
The application declares scopes without the :admin designation. To add these scopes, the application owner needs permission (based on their role) to do the same activity on the application owner’s user; this ensures that authorizing the application for local testing will succeed, as the application is impersonating the person that authorized its addition with a subset of their privileges.
Each user that authorized the application gets their own tokens, and those are independently retained and refreshed. These applications can be published to the Zoom Marketplace.
Calling API endpoints generally requires specifying me instead of a specific user ID.
For account-level OAuth applications (Server-to-Server):
The application declares scopes with the :admin designation. To add these scopes, the application owner needs permission (based on their role) to do the same activity on the application owner’s entire account; this ensures that authorizing the application will succeed, as the application is impersonating the person that authorized its addition with a subset of their privileges.
An administrator (the application owner) authorizes the application for the entire account and the tokens cover the entire account. These applications can’t be published to the Zoom Marketplace, so you won’t have to worry about tokens for other accounts.
Calling API endpoints generally requires specifying the specific user ID that’s affected.
Whose access token do we use?