Request Meeting on API Security


I am trying to use the Zoom APIs to pass registrations from my form to Zoom. I am concerned about the security of using the API. From what I understand from the documentation, the oauth token is written in plain text. Thus, if someone views the source code on my webpage, they would be able to view the oauth token written in plain text. If they can view the oauth token, they can use that token and the rest of the API documentation to write an API that will delete a meeting or do other things on my account that they are not authorized to do.

I’m not an expert in APIs and Oauth security. I’m trying to understand how to complete these registrations in a secure way. Could we schedule a short meeting to help me understand how these APIs are secure?

Hi @mfoster, scheduling a meeting may be difficult on our end, but we’re happy to help here. Don’t worry about not being an expert - these topics can be (are) confusing, and that’s why we’re here.

When using OAuth, you are authorizing an individual user to access their information on the client by communicating your Client ID and Client Secret credentials from server-to-server. These credentials must be stored as server-side secret variables, and should never be exposed to a user. Without these credentials, that user only has permission to take actions on their own account. Additionally, OAuth apps exclusively allow users to take actions which you (and Zoom) have granted permission through the app’s Scopes.

For an example of how to store server-side client credentials, check out our Sample OAuth Node.js app, which uses a config.js file imported into index.js, and requests an individual user’s info using /users/me.

Let us know if and how we can clarify!


For the scenario I outlined, registering customers for webinars, would it be best to use Oauth or JWT?

Oauth seems to be a Zoom user thing. My customers will not have zoom accounts. Thus, I’ll need a solution that does not require them to be users. Is JWT that solution?

Great question and solution, @mfoster. JWT may in fact be your answer. JWT apps are intended for Account-level server-server apps. (To clarify: this means an app to manage your Zoom account; a User-managed app would be the alternative).

If the registrations on your form do not need to be Zoom Users, then I would suggest using an Account-level app. Each HTTP request made by your form submission server will need to be authenticated with a JWT. We suggest using a library to do this, which we walk through in our JWT guide.

As for your original question about security, once again - the credentials to generate a JWT are stored secretly as environment variables and cannot be exposed in the client. There’s an example of this in our Sample JWT app. Let me know if you have any questions on any of this.


I am specifically trying to make the API call happen in the Thank You Code of a Pardot form.

The Zoom-Pardot integration is sparse and would require us to have a different page for registrations for every webinar. We like to keep all of our webinars on one page and in one form.

How can I set these API environmental variables securely? I’m aware I can set the variable in one script file and then call it in another. However, with the Pardot Thank You Code option, I cannot think of way to have the Thank You Code call some other script or variable. The only thing I can think of is to have the secret/key/password all in plain text in that code, but that is a huge security vulnerability. Can you think of a way around this issue?

Hi @mfoster, you are correct. You are not going to be able to securely handle this type of request in a client-side Pardot form. You must be running a server-server connection to generate authenticated tokens to authorize requests. To be very clear about this: do not ever put your secret/key/password anywhere client-side.

A solution to this is still possible; however, you’ll just need to create a private JWT app on our Marketplace. You’ll need to have a server (application) running in order to receive submissions made by your form and handle them as secure authenticated requests to Zoom. This server/application will be what holds your environment variables.

From your webpage (client-side), a form containing the customer/registrant’s information would be submitted to a server-side app. This form submission could conceivably be handled by the Pardot Thank You Code, if it contained the user’s original form submission and all that it was doing is submitting a request to your app/server. Your app would then handle this submission, generate a token, and submit the data to Zoom to create the new registrant. Here’s a Quickstart to a Node app that generates JWT and submits an email address to create a new User. In your use case, you would make a request to the Webinar API instead.