How to Create a Multi-Tenant OAuth Integration for Read-Only Access to Zoom Phone Devices and Zoom Rooms Across Customer Accounts?

Hello Zoom Developer Support Team,

We are designing a Multi-Tenant OAuth integration for Zoom and would like guidance on the recommended architecture and app configuration.

Our requirement is:

• We want to create a single OAuth application under our Zoom developer account.

• Customer account administrators (different Zoom tenants) should be able to provide one-time admin authorization to our app and using same authorization we should be able to programmatically refresh the access token and refresh token at certain interval without forcing admin user to login again to provide the authorization post one time authorization is granted successfully.

• Using authorization, our platform should securely access:

  • Zoom Phone device details (read-only)

  • Zoom Rooms information (read-only)

• We want to centrally manage the OAuth app from our own account rather than creating separate apps per customer tenant.

• The same OAuth app should be reusable across all customer tenants.

Example expected flow:

• Customer admin clicks “Connect Zoom”

• Admin signs into Zoom and grants one time authorization (consent).

• Our backend stores tenant/account identifiers and refresh tokens securely

• We can fetch Zoom Phone device and Zoom Rooms data in read-only mode using relevant zoom APIs.

Could you please share the recommended Zoom app type, architecture, and any relevant documentation/examples for implementing this securely as a scalable multi-tenant SaaS integration?

Thank you.

It sounds like you want an Admin-managed OAuth app. With this app type, a customer’s account admin authorizes your app once on behalf of their entire account. No individual user logins needed after that. You store the refresh token server-side and refresh programmatically — the admin never has to sign in again unless they revoke.

Admin-managed apps: Admins must add these apps, and the account admin manages them for all users. These apps can access Zoom APIs to manage users, reports, and account content.

For Zoom Phone device details and Zoom Rooms info (both read-only), you’ll request the relevant read-only scopes. Admin-managed is the right fit since these are account-level resources.

The key piece for multi-tenant: to let admins from other Zoom accounts authorize your app, you need to publish it on the Zoom App Marketplace. Without publishing, the app only works within your own account.

Two distribution options:

• Listed — publicly discoverable on the Marketplace.
• Unlisted — only accessible via direct link, not searchable. Good if you’re distributing to specific customers.

Both require going through our review process (metadata, compliance, security audit on your scope usage). The team works with you to get through it.

Architecture in short: one Admin-managed OAuth app, read-only scopes for Phone and Rooms, published listed or unlisted. Each customer admin authorizes once, you store their refresh token, call APIs on their behalf. One app, many tenants.

Resources:

• App management types: App management - Build Flow - Zoom Developer Docs
• Distribution: App distribution - Distribute - Zoom Developer Docs