Oauth App Publishing Timelines

Hi Zoom API team,

We are wondering about the timeline for publishing Oauth Apps. Once we have all of the material in place for our two apps, around how long should we expect it to take for the applications to be published? Also, once we have published them, if we want to make changes to any of the details or the screenshots/video what is the process/timeline for republishing?

NGPVAN/EveryAction Team

Hi @NGPVANEveryAction, to start, this timeline is highly contingent on app descriptions, documentation, screenshot content, and the quality of functional testing. Following our Submissions Checklist, this process shouldn’t take more than a couple of days.

Please note, there may be a delay given a recent surge in app submissions, but our team is working hard to maintain a timely and quality turnaround in functional reviews.

Each upgrade (in which new or different scopes are requested) will require a unique Submission Review.

Please let us know if you have any questions, we’re here to help :slight_smile:

1 Like

Thanks @michael.harrington that is helpful!

I have a couple more questions:

  1. We are interested in getting the app on the marketplace with basic screenshots and no video and then republishing with nicer screenshots and a video once we are live to clients. Would that require a unique submission review?

  2. Can the support/documentation link be behind a login for our users? Our entire helpdoc site is behind a login.

  3. I’ve been looking into deauthorization and I am wondering if a user can change their user_data_retention preference after they have made it. We are a CRM product and I can imagine that a user might accidentally ask for the data to be removed when the admin at their organization would definitely not want that to happen and would want to reverse that request when we notify them that will need to delete any data we recieved from you all.

NGPVAN EveryAction Team


Hey @NGPVANEveryAction,

You can simply update your app with the new screenshots after it has been published.


Good point, I will bring this up to our team.


Thanks for the responses @tommy. I have a number of follow-up questions about deauthorization and the submission checklist.

  1. Will we need to send you all a PDF of our apps’ documentation so that you can review it?

  2. In regards to @michael.harrington’s comment earlier: What did you mean by "the quality of functional testing."Do you all need to use our marketplace app somehow before it gets verified??

  3. Can you help us understand better what you mean by “deleting User data” when the user asks us to remove it during deauthorization. We are a non-profit and political org CRM and we will very likely create records based on webinar registrant data that will then have subsequent actions taken on them, such as a user submitting a contribution to the organization after the event is over. Does your compliance require that we delete data all data we have ever received from you through the marketplace app or specifically data about the user?

  4. In this feature request: Full participant data for webinars for a user-level OAuth App we discussed the need for a webinar participant data endpoint. Since that doesn’t exist and your webhooks retries are disabled we are planning on publishing two separate apps. One for our using to link to webinars (which will be an Account-Level Oauth App, since we will have to hit the Webinar Participants Report endpoint) and another to link to meetings (which will be a User level app, so that non-zoom admins can install this app). Is that going to be acceptable? We’d love to make it one user level app, but we can’t do that without retries and/or a webinar participants endpoint.

  5. Speaking of ramifications of webhooks being turned off. We are planning on implementing a daily poll for registrations and attendance of all meetings/webinars that are linked to our system by our users and where the date of the meeting/webinar is within 2 days of today. I’m not sure if this would constitute “long polling” the API, but we feel that this will be necessary for reliability as long as the webhooks don’t have retries. Is this going to be a problem? Is there something else that you would like us to do?

Hey @NGPVANEveryAction,

You will send this during the app review process.

Yes, our app reviewers will install your app to make sure it works.

Per user basis, the userID is included in the deauth request.

Yes, that should be acceptable, however this can be discussed during the review process.

As long as you stay within our rate limits, you should be fine.


Hi Tommy,

A couple followups:

Our app will only be installable from within our software which does not have a freemium plan. I’m not sure if it would be possible to give your team a user account in our product to test the integration, but is that what you are saying must occur?

I don’t think I was clear here. What does User data include? It’s not clear from the documentation. In Deauthorization Notification - Webhook Only oAuth App you indicate that webinar recordings are not considered user-specific data. Obviously user PII is user data, but what about meeting/webinar registration information that was retrieved from a users account? Is that “user-data” that must be removed if they ask for it to be removed during uninstall?

Thanks for responding to all of my follow-up here!

NGPVAN/EveryAction Team

Hey @NGPVANEveryAction,

Yes, however if complications are in place, this can be discussed with our app review team once you submit.

Any user data that you have collected based from a specific user that has authorized your app.