I’m currently working on a project where I need to programmatically download meeting transcripts (.vtt files) using Zoom’s API. I’m using a server-to-server OAuth app owned by the account owner and have ensured that all necessary scopes are enabled, as outlined in Zoom’s API documentation.
Here’s where I’m at:
I’ve successfully used the endpoint provided in the API documentation to retrieve meeting recordings.
However, when I attempt to use the curl command (with the download_access_token) to download the transcript file, I run into issues. Initially, I encountered redirect errors, which I resolved by adding the -L flag to follow redirects.
Yet now, I’m seeing the following message:
“Only the host can download this recording. Please sign in to your Zoom account to download if you are the host.”
This error suggests that despite passing the download_access_token, there’s still a permissions issue tied to the host role.
Has anyone faced a similar issue or have insights on how to work around this limitation? Is there something additional I need to configure, perhaps on the account level or within the API request logic? Any guidance would be greatly appreciated!
Error?
Only the host can download this recording. Please sign in to your Zoom account to download if you are the host. (200)
@jaron I know exactly what you are going through: I experienced this problem myself back in 2022 (see my explanation here) and also see my July 2023 comment on this thread where I tried to help someone who was experiencing this problem. I never heard back from that person, so I don’t know whether my explanation was helpful or not but I hope it helps you.
The TLDR is this: all modern HTTP clients such as curl and Microsoft’s .NET http client, for example, have a built-in security feature that prevents forwarding passwords and tokens when following HTTP 307 Temporary redirect responses AND the redirect URL is on a difference domain. They do this on purpose to avoid leaking passwords and tokens. In the case of Microsoft, I can tell you that their HTTP client used to forward passwords and tokens until 2018. They closed the security gap in their http client sometime in 2018 and all releases since then no longer forward passwords and tokens. The behavior I just described might be desirable from a security stand point, but it conflicts with the way Zoom wants us to download files because they redirect our requests to a different domain.
I’m not super familiar with curl but I’m pretty sure there’s an option you can specify to authorize the token to be forwarded when following the HTTP 307 redirect.
@desautelsj Thank you so much for your detailed explanation! I really appreciate the historical context and background information you provided about HTTP clients, redirects, and how the handling of passwords and tokens has evolved over time. Your reply was not only informative but also incredibly helpful in clarifying why this issue occurs when trying to download Zoom files. The way you connected security considerations with the behavior of modern HTTP clients (like curl and Microsoft’s .NET client) was particularly insightful and gave me a better understanding of what’s happening under the hood.
After reading your response, I took another look at the curl man page and discovered that while the -L flag allows curl to follow redirects, I actually needed to use the --location-trusted option instead. This flag ensures the Authorization header is passed along when following the redirect, which resolves the issue with downloading files from Zoom. Your explanation led me directly to the solution, and I’m grateful for that! Thanks again for taking the time to share your expertise with the community here, your efforts are truly appreciated!