Server-to-Server OAuth gets token -> 200: invalid api key or secret

I wanted to check some assumptions I have on the problems I am having getting a token to work with api calls. (Backstory: I have a function working that seems to get a token, but whenever that token is used, I get a 200: “Invalid api key or secret” returned.)

  1. I am assuming the documentation is outdated when it says the use of client_credentials is only for ChatBot use. There are sections of the server-to-server documentation that specify that client_credentials is needed, and if I substitute anything else it errors. Is this true?

  2. I am also assuming that when I receive a bearer token back from zoom via /oauth/token, the only thing that could really be wrong with it is that it could be the wrong type or be drawn from an app that doesn’t have the right scopes. Problems like encoding mistakes should not apply if zoom returns the token, right?

  3. Is it safe to assume that if the api says it requires meeting:write and meeting:write:admin, I am okay if my app has only the meeting:write:admin option? There does not appear to be a meeting:write option listed in the server-to-server oauth app scopes.

  4. Should I assume the api is returning an out-of-date error? I’m using an OAuth token but the terms “API Key” and “API Secret” are JWT-specific terms, aren’t they?

Thanks for any help anyone may have! I really want to sleep well again soon…