Limiting scopes on server-to-server OAuth

clomotey · May 16, 2023, 3:58pm

We are developing an App which requires Server-to-Server OAuth. The scopes requested for the App are:

View and manage sub account’s user webinars /webinar:master
View all user Webinars /webinar:read:admin
View and manage all user Webinars /webinar:write:admin

Scopes 2 & 3 appears to give the user read, write and admin rights over all users on our Tenant. If this is correct, is it possible to limit these scopes?

My preference is that only a specific user(s) can be defined as admins of the App, and these users will have read/write/Admin rights to only the webinars that they create. The users of the App should not have read/write/admin access to all webinars on our Zoom Tenant

elisa.zoom · May 18, 2023, 3:04pm

Hi @clomotey
Thanks for reaching out to us, unfortunately, there is no way to limit scopes to certain users.
The server to server app is an account level app type so it will have access to all the users under the account
Have you tried using a User level Oauth app?
https://developers.zoom.us/docs/integrations/#who-can-add-your-app

Topic		Replies	Views
Trouble adding scopes to server-server auth app Webinars	1	483	December 16, 2022
Server-to-server oauth app API and Webhooks api	1	177	July 14, 2023
Adding scopes to OAuth server to server API and Webhooks s2s-oauth	1	376	May 24, 2023
Cannot figure out the right permissions to make particular scopes available to my app Webinars	2	375	September 13, 2022
Server to Server App - restrict access to specific account API and Webhooks api	4	288	April 7, 2024

Limiting scopes on server-to-server OAuth

Related Topics