It is good to see you again!
1: It depends on your use case. If you do not want your users to have to log in, you would need to obtain a ZAK every time your application is run. As for the JWT: When you create a JWT, you get to specify how long the JWT can be used. You can specify it to be valid for a few hours, or up to 2 days. If the JWT has timed out, you need a new one.
2: Yes you can. To obtain a ZAK you must provide a JWT, and a JWT is only valid for a certain period of time. If you set that time to be a few hours you could store the ZAK in userDefaults for that amount of time.
3: You must provide a ZAK when joining/starting a meeting if the user is not logged in. If you do not already have a valid ZAK, you would generate one right before the user is about to join or start a meeting. Similarly you need to provide a JWT to obtain a ZAK. If you already have a valid JWT, you do not need to generate one at that moment, if you do not have a valid JWT you would need to generate one right before generating a ZAK.
This is a complicated process and is implemented for security measures, so let me explain a few things further.
The Zoom SDK and Zoom API’s are different systems. When you log into the Zoom Marketplace you will notice there is a SDK tile and a JWT tile. The SDK tile has credentials for the SDK but not API, the JWT tile has credentials for the API and not the SDK.
When you initialize the SDK, you must provide your client key and client secret, or a JWT created with your client key and secret.
When you make API calls, you must provide a JWT created with your API Key and API Secret. The JWT that is provided in the Zoom Marketplace within the JWT tile, is a valid JWT that is created using your API Key and Secret.
When you are obtaining a ZAK, you are accessing the API and not the SDK. Therefore, the JWT you provide must be made from your API credentials not your SDK credentials.
Let me know if any of that needs clarification, or if you have any other questions.