Hello,
I am developing an application that uses OAuth to obtain access tokens and refresh tokens from users in order to retrieve recordings and transcripts. The users belong to Company A, and the application is intended to be developed by Company B (as data processing needs to be performed by Company B).
I have the following questions:
If this implementation is carried out, I believe it will be necessary to store Company A’s access tokens and refresh tokens in Company B’s storage. Would this violate Zoom’s terms of service?
If this does not constitute a violation, could you please share best practices for securely managing tokens while maintaining confidentiality?
I am struggling to find a secure way to manage access tokens and refresh tokens.
If there is a method to retrieve recordings and transcripts without using OAuth or access/refresh tokens, that would also be acceptable. I would greatly appreciate your guidance on this.
I apologize for the basic nature of these questions, and thank you in advance for your assistance.
Welcome to the community.
You need to think about the difference between the dev setup and if you publish.
When published you will have secret tokens in the app.
When company a want to use the app they will then get their access and refresh token
Company B will get a different access and refresh
Indeed multiple users will all get different access and refresh tokens.
So, the issue of storage. You need to provide App storage.
The most simple answer is to store them in cookies. I often keep my access token in a cookie, it is on the users machine and expires minutes. If you do this then it is good practice to encrypt them.
However, when it comes to the refresh token, I store that in my app database, it is encrypted and tied to the user id (also encrypted).
So for dev, I leave both as cookies, but once I am looking for production, the refresh will do in a secure database. One entry for every user all access and refresh tokens are different for each user and company