Proper Auth type for a SaaS platform that creates meetings for third party customers

We are currently integrated with Zoom API and webhooks using JWT but we read that it will be deprecated by June 2023, so we are trying to decide what would be the best way to move forward.

Our web based application currently creates meetings for our sales reps (all these zoom accounts are child accounts of our master account). We are making our web application public now, allowing other companies to link their master account to our service and was wondering what would be the best way to authenticate at Zoom’s API, given that our application will be the one creating meetings, catching events, etc.

Thanks in advance for any inputs on this.

Hi @jonshugart ,

For creating meetings for child accounts of your master account, Server-to-Server OAuth App should be sufficient.

For other companies, an Account-Level OAuth App with the appropriate OAuth scopes will allow you to do this.

All the best,
Gianni

Hi Gianni,

Thanks for your reply.

How would an Account-Level OAuth App be different from just creating a Server-to-Server OAuth App and requesting our customers to send us their account id, client id and client secret? This last scenario would be ideal to us

We just need them to give us their credentials in order for us to create meetings for them. Would Account-Level OAuth App require them to login into zoom and grant permissions to our App?

@jonshugart sharing account credentials with people outside of one’s account is not supported Zoom security practice so I cannot recommend the ideal scenario you outlined.

Yes they would install the app and give permission to access their account by way of the app.

It’s great that you’re already thinking ahead and considering the best approach to move forward. Since your web-based application creates meetings for sales reps and will now be public, allowing other companies to link their master account to your service, you need to figure out the most secure and efficient way to authenticate with Zoom’s API.

My suggestion would be to explore other authentication methods that are recommended by Zoom and are also secure, such as OAuth 2.0. Additionally, you may want to consider working with Zoom’s support team to identify the best approach for your specific use case.

Overall, it’s crucial to ensure that your application maintains the highest level of security while still providing a seamless user experience for your customers, especially in the B2B SaaS business where data privacy and security are paramount. I hope this helps, and feel free to reach out if you have any further questions or concerns!!

1 Like