We received the notification from Zoom (attached below), and we have a few questions related to it (these first 3 question is most prior, and if you will answer our questions separately, please take care of them first):
- We are using JWT app. All our environments are using this JWT app, including development and production environments. Could you please advise us: what is the best practice to manage migration to a new app type so that it does not affect the production environment, but at the same time allows us to develop/test it in development/testing environments?
- Can we create a new app in our Zoom account and use/develop it in the development environment, while the production environment will still use our old JWT app?
- What app type (the OAuth app or the Server-to-Server OAuth app) is better for us as a replacement for the JWT app, given that we use web SDK and our web users enter Zoom sessions as a guest?
You can keep both JWT and Server-to-Server OAuth app types running concurrently. My organization created a separate Server-to-Server OAuth app, replaced the authentication implementation, and we could switch back and forth between the two application identities during staging and production testing, then we deactivated the JWT application on Zoom’s side once we were confident.
Server-to-Server OAuth is probably the best substitute for a JWT app because you don’t need each user to specifically grant permission to the app before use, which would have to happen for OAuth. Your administrator just needs to install the application once upfront.
Please note that OAuth tokens expire regularly (unlike JWT credentials) and refreshing them will immediately invalidate previous tokens, so you probably want to implement key rotation to maintain high availability, especially since you have multiple environments.
Thank you! Precise and clear answer!