JWT app vs Server to Server OAuth app

With the Deprecation of the JWT app from the Marketplace next year, we have been encouraging developers to start migrating from their JWT app to the Server-to-Server OAuth app, which provides more granular scoping options for internal apps that retrieve data from our endpoints.

Now, what are the differences between JWT apps and Server-to-Server OAuth apps?

  1. Internal JWT apps, created by account admins, have wide scope access.
  2. Server-to-server OAuth allows individual users to create apps with scoped access to APIs which reflect the access they already have.
  3. JWT apps rely on token generation using account credentials (API key and API secret)
  4. Server-to-Server OAuth apps rely on requesting access token to the Zoom OAuth endpoint using account credentials (Account ID, Client ID, and Client Secret).
  5. Access tokens generated with the Server-to-Server OAuth app are only valid for one hour (a new one must be requested once they expired).

It is important to make emphasis on the fact that the only thing that changes with this migration is the way we are requesting an access token and making the API call will remain the same.

But how can you enable the Sever-to-Server OAuth app and how can you make sure that specific permissions are reflected on the app itself?

Once the app is enabled in the account (refer to this post if needed How to user Server-to-Sever OAuth app with Postman), it is important to define which permissions you want to grant to the developers that will have access to this type app, because the developer will only see the scopes that they can authorize.

For example, let’s say that you do not want your developer to have access to the Dashboard, so you have to make sure that in the Roles setting for that developer those features are disabled:

(ADMIN > User Management > Roles > Edit)

What this will ensure is that those scopes wont be visible or available in the developer’s Server-to-Server app

Here are some code snippets that demonstrate the generation of access token using JWT apps and the request of access token using Server-to-Server OAuth app and how the API call to the endpoint Get users is the same in both cases:

  • Using JWT app credentials to generate an Access token, then use it to make an API call to our Get Users endpoint

  • Using Server-to-Server OAuth app credentials to request an access token to the Zoom OAuth endpoint, then use it to make an API call to the same Get Users endpoint

It is important to note that once your access token expires, you just need to make the same request to the Zoom OAuth endpoint to generate a new one (there is no refresh token involved); but the generation of a new token, invalidates the previous one (even if it was not expired).

Thanks for reading and Happy Coding :slight_smile:

2 Likes