The host_key solution (basically a weak secret tied to an user account) was a bad design, no doubt about that.
However, the solution is a worst design to fix it plus screw up all developers (that are not corporate payers).
Let me explain you how bad it is.
Currently the host key is not available in the API responses, but it’s still available in the user profile. It’s also non-editable. So basically, if it leaks, no way to re-generate it and mitigate the leak. “Call the support” I guess.
I did a huge rework of an integration due to “more secure API communication” I was told in the Changelog. So now we do server to server OAuth communication. But the insecure host key is not available? How does it make sense? Why the host key is not in the meeting object on the first place? The meeting “knows” its host, a temporary key makes sense (it mitigates a security risk of compromising a secret on account level), and Zoom backend can infer user by the already JWT signed meeting. I completely fail to understand why such simple design is so hard.
I have integration that manages meetings/users on behalf of master customer account. I allow the host user to take over the meeting if an incident happens, given the fact all participants are behind my own authentication. The host user security involves hardware key, completely managed Zoom user and encrypted session. I would argue that I’m good security wise.
To summarize, I’ve looked at all proposed solution and none works for the integrations I did for my customers. Zoom fails to provide a temporary host key per meeting and because of that it punishes the developers. Even the developers of Enterprise Zoom customers has to go through hell to make the “alternative” work. I’m actively searching for an alternative service and will rather develop my own meeting solution than integrate Zoom in the feature. A company that doesn’t respect (at least) the community of developers that sell its product through their customers, report bugs and overall improve the product every day, doesn’t deserve a business.