Description
Can we be certain that the email address we receive from the v2/users/me endpoint is actually owned by the user? IE could this endpoint ever be called on a user who has created a zoom account for that email address but not yet confirmed their email?
I thought that maybe the “verified” attribute of the user determined this, but for someone who logs into their Zoom account via Google, the api said that verified was 0 for that user. So should we be checking if verified is true OR login_type = [Facebook, Google, SSO]?
What exactly does “verified” mean?
Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth
Good question. To clarify, if a user is verified (type 1), this means that they received an email when their user profile was created and confirmed that they did in fact sign up by clicking a link to confirm in the email.
If someone logs in using a source such as Google, this follows a different flow, so they will not receive the same email. As you suggested, you should check separately in these instances to see if they used another login source when they signed up.
I hope this helps to clarify, but let me know if you have questions about this.