JWT Token Restrictions

Description
We are currently using JWT tokens to pull data from the Zoom API. However, we found out that we can perform all HTTP operations using the JWT token (POST, PATCH, DELETE). For security reasons, we just want to restrict the operations to GET.

Which App Type (OAuth / Chatbot / JWT / Webhook)?
JWT

Which Endpoint/s?
Sample Endpoint: https://api.zoom.us/v2/metrics/meetings?from=2021-07-01&page_size=10&type=past

How To Reproduce (If applicable)
Steps to reproduce the behavior:

  1. Call Endpoint using PATCH or DELETE
  2. Can make changes to data (which we don’t want)

Hey @agffior,

Thank you for reaching out to the Zoom Developer Forum. Currently, we don’t have a method to restrict the scope of access when using a JWT App.

When using an OAuth App, you can select scopes that only allow reading of data, instead of writing, and this would effectively disable POST, PATCH, DELETE requests when using that app.

Let me know if that helps.

Thanks,
Max

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.