OAuth for server-to-server

Description
I have a server-side application to access some Zoom APIs, which does not have any from-end UI. I am currently using JWT to authorize. I would like to switch to OAuth as it seems more secure compared to exposing my api_secret in JWT.
But OAuth requires a redirect URL, so it requires UI and user-interaction. Is there any way to get around this and do this completely automated through code?

Hey @pnarendra, thanks for posting and using Zoom!

There is, simply activate the OAuth install once. You can use any redirect url, like https://zoom.us.

After install, get the auth code in the query param of the URL, and use it to request an access_token.

Now you can completely automate the process. Save the access_token and refresh_token, and implement logic that refreshes the access_token, and then makes the respective requests.

Does that make sense?

Thanks,
Tommy

It does. Thank you @tommy . Though I would like to ask details regarding creating the OAuth credentials. Since my application is not really an app, what information would be appropriate for for Privacy Policy URL, Terms of Use URL, etc.,

1 Like

Hey @pnarendra,

If this is an internal app (only used by your Zoom account/users), it does not need to be published to the Zoom App Marketplace.

You can ignore those fields :slight_smile:

Thanks,
Tommy

Hey @tommy,
If thats the case then how do you create the account-level credentials for OAuth

Thank you for the help

1 Like

Hey @pnarendra,

Simply create an Account Level OAuth app here, with Intent to Publish set to no.

Thanks,
Tommy

Hey @tommy,
That worked! thanks a lot for that!

Is there a way to increase the expiry time for the access token as 1 hr is too small a time period. I was wondering if there is a way to keep the access token for a day or two?

Hey @pnarendra, happy to hear that worked! :slight_smile:

No, the access_token only lasts for 1 hour, however, you could simply refresh the token each time you make a request.

That being said, the expiry setting is the benefit of using JWT, you can set it for any amount of time.

Thanks,
Tommy

@tommy is there a plan to increase the OAuth based access_token expiry time to be more than 1 hour ? it would be great if there is an option to configure the expiry interval with upper bound set?

Also is it like only one JWT app is allowed per organisation? We have one JWT app created and don’t see the marketplace allows to create 2nd JWT app ? is this the case?

Problem with 1 JWT app (JWT Token) is the limited API rate limit.

Regards
Dilip

Hey @Dilip_Reddy_Guda,

There are no plans to increase the OAuth token expiry. You can refresh each time before you make a request if you would like:

Correct, only one JWT App can be created per organization since it has full access to most of the Zoom APIs.

Thanks,
Tommy

@tommy
we had an issue with one of the OAuth app where in there were close to 11K refresh token calls were made in a span of one day (06/26). we would like to know if there any audit logs for this app to understand what was the response from Zoom when API calls were made.

App name : MIM SURF Production

How many tokens were issues for this app on 06/26 ?
were there any error responses while refreshing the token related to this app?

Regards
Dilip