Server to Server OAuth External Account Interaction


Currently, our team is looking to integrate Zoom into our application in order to interact with the Zoom API to get information such as devices and rooms, etc… about a particular account. We would primarily be leveraging the Zoom Meeting API for our case.

Current Challenge:

Our dev team is looking to build a Server-to-Server app rather than an OAuth app in the Zoom Marketplace. Within our internal application we would have users with different Zoom account Ids (all different from the one where the app is built/published under). Currently, we’re able to get an access token and have been using it to test different Zoom API endpoints successfully and get information about the account our app lives in.

However, I haven’t been able to find any documentation about being able to use this same app in order to get information about a different account (for instance if a user provides their own account Id and is used in conjunction with the same app credentials).

Is this scenario possible using a Server-to-Server application? Or is this not technically feasible the way that it’s being described here using this type of app? The only way I’ve seen this to be possible is if each user creates their own STS app in their own account and then provides those app credentials, however we would like to have only ONE centralized application that users from other accounts can leverage.

Would this scenario be possible using a different type of app such as OAuth? We need to be able to have just one application that then outside users can leverage in order to get their respective account data using the Zoom API.

Hi @sreskala
Thanks for reaching out to us.
It looks like the app that you need to develop is an Oauth app because you will be making API calls on behalf of external accounts, and if you want to access data from external accounts you will have to develop an OAuth integration and have it reviewed by the Marketplace team.

The Server to Server Oauth app is an admin-level app used for internal applications only, this means that you can not use the S2S credentials to make API calls on behalf of users that do not belong to your account.

If the app/‘API consumer’ is using “account credentials”, then couldn’t it make queries/adjust things on behalf of any user on the account? ie: POST /users/{userId}/meetings

from Zoom Meeting API

Hi Elisa thanks for the quick response, that makes sense, we’ll build it out leveraging the OAuth app, thank you!

1 Like

Sure thing! happy to help!