I’m seeking clarification regarding updated authorization requirements for Meeting SDK applications joining meetings outside their developer account.
I have a Web Meeting SDK application with the following architecture:
The app joins meetings strictly as a participant (role = 0).
It does NOT start meetings.
It does NOT represent or impersonate a Zoom user.
It does NOT use OAuth.
It does NOT call Zoom REST APIs.
It does NOT use ZAK or OBF tokens.
A server-generated Meeting SDK JWT is used solely for participant-level joining.
If moderation features are needed, the human host manually grants co-host privileges inside the meeting.
Given the documentation update stating:
“Starting March 2, 2026, apps joining meetings outside their account must be authorized using ZAK, OBF, or RTMS.”
My question is:
For a participant-only Meeting SDK Web app (role = 0) that does not initiate meetings and does not attribute identity to a Zoom user, is OAuth + ZAK now mandatory when joining meetings hosted by external accounts?
Or does the requirement apply specifically to apps that start meetings or act on behalf of a Zoom user identity?
Thanks for pointing me to the blog post — I’ve reviewed it carefully.
Based on the attribution models described there, I want to confirm how it applies to a participant-only Meeting SDK Web app.
Our app joins meetings as a visible participant (role 0) using a server-generated Meeting SDK signature. It does not start meetings, does not access media streams, and does not act on behalf of a specific Zoom user via REST APIs. If moderation is needed, the human host manually grants co-host inside the meeting.
In this scenario, is OAuth-based OBF authorization still required when joining meetings hosted by external accounts, or does the requirement primarily apply to SDK apps that explicitly act on behalf of a Zoom user identity?
I just want to ensure we’re aligned with the correct attribution path going forward.
Starting March 2, 2026, a Meeting SDK app can’t join meetings hosted by external accounts with only a Meeting SDK signature/JWT; it must be attributed using an OBF (On Behalf Of) token per Zoom’s Meeting SDK authorization FAQ and the Meeting SDK auth docs. That means OAuth is required for cross-account joins to obtain OBF or ZAK, where one of these is required to join the call
In your scenario (participant-only Web app, role 0, no REST impersonation), OBF is still required when joining meetings hosted by external accounts, because it’s the attribution model for cross-account joins in the FAQ table. Note the FAQ’s constraint that OBF depends on an associated authorized user being in the meeting, as described in the same FAQ section
If the meeting is within your app owner’s account, JWT-only join for role=0/non-login remains allowed in the FAQ table. If you can’t have a Zoom user authorize/present, Zoom points to RTMS as the alternative in the same link, where the host can authorize your app to join/record
If you want to go deeper, feel free to check out Recall.ai - we’ve supported thousands of developers through these exact implementation details. We’re also a Zoom RTMS Preferred Partner and you can get further support through Recall.ai if interested!