Question on authentication and using the SDK to join meeting without login

Description
I am very new at this, but am attempting to create an application for very non-tech savvy users that is as simple as possible and will let them press a button to join a hard-coded meeting ID (with limited features once connected). These are users without Zoom accounts, so I want to use the “join meeting without login” option. But what I’m not clear on is whether the application needs to authenticate before doing that or not. There seem to be some forum responses that indicate not, but when I try to join without having authenticated, Join() seems to return SDKERR_UNAUTHENTICATION which seems to imply I do need to authenticate first.

But if I do need to authenticate, I’m not sure how to do so for my application. For my testing, I am able to create a temporary JWT (following the instructions in the documentation), authenticate with it, and the “without login” Join works. But I don’t understand how I can do that for the final application that needs to be installed on the users’ computers. Obviously, even if I hardcoded the JWT, it would expire. Presumably, I could use a library to generate new JWT’s every time it joins based on the SDK key/secret, but that would require hardcoding those, which seems like a bad idea. I don’t have any outside server that can generate JWTs for the application while keeping the key/secret private. If I understand correctly, OAuth requires a) the user to have a Zoom account and b) interaction in a browser, which isn’t going to work for me.

So ideally, I want it to be able to join without authentication, if that is possible. But if it isn’t, what’s the best way to authenticate under these circumstances?

Thank you for your assistance.

Which Windows Meeting SDK version?
5.9.1.2601

To Reproduce(If applicable)
N/A

Screenshots
N/A

Device (please complete the following information):

  • Device: HP laptop 17z-ca100
  • OS: Windows 10 Home

Additional context
N/A

Hi @abm4111, thanks for using our SDK.

Joining a meeting anonymously does not require any user authentication, so this should be possible. Based on what you’ve mentioned, there may be some conflation between developer authentication and user authentication.

Developer authentication is done using the SDK key & secret (usually with a JWT as you’ve already found), and is required for 100% of SDK use cases. User authentication allows the end users to verify their identity in Zoom’s back end. This is only required if the user is starting a meeting as the host, or if the meeting you are joining is configured to require user authentication.

We do not recommend hard-coding your developer credentials within your app in any way, as this is a major security vulnerability which can potentially give others access to your credentials. The recommended approach is to generate the JWT from your own server as-needed, which your SDK app could request.

Thanks!

Thanks for your response. So that seems to confirm that developer authentication is needed even when user authentication is not. As mentioned, my organization doesn’t currently have any kind of server that can be used to generate JWTs, and trying to create and host one somewhere would add a significant additional layer of complexity to this solution. Unless anyone is aware of a relatively simple out-of-the-box type solution for this…

Is there really no other alternative other than to hard-code developer credentials into the app (which does seem like a pretty terrible idea, even though the app will have limited distribution)?

And presumably hard-coding a long term JWT (which would at least be less insecure than hard-coding the credentials) and forcing the users to do an app update before/when it expires isn’t an option since the documentation says expiration has to be a max of 48 hours…

Hi @abm4111,

It is still possible to successfully authenticate the SDK with your developer credentials without the use of a back end server, as long as you are willing to accept the security risks associated with shipping credentials in your application. The only approach we recommend using is securely storing them in your own servers, but we do not have any way of enforcing how your credentials are stored, nor do we have plans to begin doing so.

Thanks!