Hey @jimmy.hale,
Thank you for reaching out to the Zoom Developer Forum.
Question #1: Am I understanding it correctly that you can only have one JWT public/private/token per Zoom customer site
You’re correct in that an account can only have one JWT token. This token can only be accessed by a user that has Developer and Marketplace roles assigned. This will make sure that only authorized users have access to the JWT token. That same level of restriction exists for account-level OAuth apps as well.
Question #2: OAuth seems a bit more secure than JWT in that an OAuth app gets its own dedicated public/private keys?
JWT is an account-wide app and is available to all the admins and owners of the account. You can have only 1 JWT marketplace app registered in your account. You can generate multiple JWT tokens using the JWT keys, and the tokens operate independently of each other until expired or the credentials have been changed.
Question #3: With Zoom API builds, I’m sensing that OAuth is the most secure approach and not use JWT.
A JWT token will contain all the permissions, and there is no way to restrict it. A JWT token is only valid for your account. There isn’t an API that requires the use of a JWT token but there are APIs, such as the account-level chat APIs, that require an account-level OAuth app. You can use an OAuth App if you want to have limited permissions for your token.
In short, JWT tokens are best for server-server communication whereas OAuth apps are best when you want to make requests on a user’s behalf or if you want to limit what your app can do by scope.
Depending on the App type (Account Level or User Managed), the app needs to be authorized by either the account admin or the user. To know more, please visit: https://marketplace.zoom.us/docs/guides/build#understanding-app-types
I hope that helps! Let me know if you have any questions.
Thanks,
Max