JWT vs OAuth -- Which One to Use

jimmy.hale · January 14, 2021, 7:09pm

I’m new to the land of Zoom API and I’m confused with JWT vs OAuth for an API.

Question #1: Am I understanding it correctly that you can only have one JWT public/private/token per Zoom customer site (company A, lets say)? …and this JWT’s public/secret key information is shared across all APIs and any JWT app has access to ALL JWT API apps on the site? This seems dangerous to me in that any of these JWT users could potentially re-generate keys? Please comfort me with insightful wisdom here.

Question #2: OAuth seems a bit more secure than JWT in that an OAuth app gets its own dedicated public/private keys? And if OAuth uses ‘scopes’, does this limit the use of OAuth where JWT has more access beyond available OAuth scopes?

Question #3: With Zoom API builds, I’m sensing that OAuth is the most secure approach and not use JWT. Are their limitations by restricting to OAuth? Are their API build scenarios that ABSOLUTELY requires the use of JWT?

Waiting with great anticipation to obtain wisdom from you awesome developer humanoids.

MaxM · January 15, 2021, 8:35pm

Hey @jimmy.hale,

Thank you for reaching out to the Zoom Developer Forum.

Question #1: Am I understanding it correctly that you can only have one JWT public/private/token per Zoom customer site

You’re correct in that an account can only have one JWT token. This token can only be accessed by a user that has Developer and Marketplace roles assigned. This will make sure that only authorized users have access to the JWT token. That same level of restriction exists for account-level OAuth apps as well.

Question #2: OAuth seems a bit more secure than JWT in that an OAuth app gets its own dedicated public/private keys?

JWT is an account-wide app and is available to all the admins and owners of the account. You can have only 1 JWT marketplace app registered in your account. You can generate multiple JWT tokens using the JWT keys, and the tokens operate independently of each other until expired or the credentials have been changed.

Question #3: With Zoom API builds, I’m sensing that OAuth is the most secure approach and not use JWT.

A JWT token will contain all the permissions, and there is no way to restrict it. A JWT token is only valid for your account. There isn’t an API that requires the use of a JWT token but there are APIs, such as the account-level chat APIs, that require an account-level OAuth app. You can use an OAuth App if you want to have limited permissions for your token.

In short, JWT tokens are best for server-server communication whereas OAuth apps are best when you want to make requests on a user’s behalf or if you want to limit what your app can do by scope.

Depending on the App type (Account Level or User Managed), the app needs to be authorized by either the account admin or the user. To know more, please visit: https://marketplace.zoom.us/docs/guides/build#understanding-app-types

I hope that helps! Let me know if you have any questions.

Thanks,
Max