Server-to-Server OAuth gets token -> 200: invalid api key or secret

API and Webhooks Authentication
1

I wanted to check some assumptions I have on the problems I am having getting a token to work with api calls. (Backstory: I have a function working that seems to get a token, but whenever that token is used, I get a 200: “Invalid api key or secret” returned.)

  1. I am assuming the documentation is outdated when it says the use of client_credentials is only for ChatBot use. There are sections of the server-to-server documentation that specify that client_credentials is needed, and if I substitute anything else it errors. Is this true?

  2. I am also assuming that when I receive a bearer token back from zoom via /oauth/token, the only thing that could really be wrong with it is that it could be the wrong type or be drawn from an app that doesn’t have the right scopes. Problems like encoding mistakes should not apply if zoom returns the token, right?

  3. Is it safe to assume that if the api says it requires meeting:write and meeting:write:admin, I am okay if my app has only the meeting:write:admin option? There does not appear to be a meeting:write option listed in the server-to-server oauth app scopes.

  4. Should I assume the api is returning an out-of-date error? I’m using an OAuth token but the terms “API Key” and “API Secret” are JWT-specific terms, aren’t they?

Thanks for any help anyone may have! I really want to sleep well again soon…

3

Hi @citya1driving ,

  1. The two apps that you mentioned are different. You cannot use OAuth (traditional) credentials for server to server Oauth and vice versa.
  2. If zoom returns an access token then your API call was successful
  3. if you cannot see a scope in server to server OAuth app type is because you do not have permission. I.e if you are not an admin role, then you wont see admin scopes in the server to server OAuth app.
  4. Is the ask here that we rename them to clientID , client secret? I believe those terms are interchangeable