I found this: Randomly receiving “Invalid access token” for Server-to-Server OAuth - API and Webhooks - Zoom Developer Forum, for anyone else looking. But looks like basically yes, we need to introduce a token manager-type function into our backend so the rest of our app business logic doesn’t have to be concerned with it.