Specific API access needs - how do I satisfy them

Using this template helps us debug your issues more effectively :slight_smile:

Description
I am writing an application that needs to access my own meeting data including participants and transcripts. In other words, no more than I am already able to access through the web portal.

My organization has an enterprise wide account which is tied into our SSO. According to my IT, I am required to use OAuth. I am not admin at my organization but then I am not looking to access any information other than I am normally able and allowed to access.

I admit that we are struggling here. It seems that for retrieving transcripts we need to access “admin scopes” and our IT rightfully is not willing/able to furnish that to us (nor would we want it.)

I am unclear about the flow of things. It seems that my application has to be ‘registered’ which is separate from when it is executed? And when it is executed, will it not still be limited by the logged in user’s permissions? In other words, could my application be “installed” by the admins but run by me?

I am sure I am not explaining this exactly right. I am willing to look at any documentation that is on point because I’ve not been able to locate it myself. Any help provided would be greatly appreciated!

Hi @pitosalas,

Thanks for reaching out about this, and good question.

To clarify, you’re correct that accessing meeting transcripts requires you to have account owner or admin privileges. When accessing resources via API, this means you will need to authorize your requests with credentials associate with an account-level app.

We have two types of account level app:

The first allows you to authorize API requests with a token. The second requires end user authorization to retrieve a code, which you can then swap for an access_token to authorize API requests with.

In your situation, the JWT token would be the recommended method for simplicity, however, you will need to be an admin on your account in order to leverage either of these app types.

Let me know if this information helps to clarify,
Will

Hi Will,

Thanks for the info. A few follow ups. I believe Zoom discourages us from authenticating with JWT because it is not as secure. Can you explain a little more?

I just want to nail this down. Even though I am able to get my own transcripts as downloadable VTTs and my own meetings and participants in downloaded CSV through the x.zoom.us web interface, I cannot get them through the API without being an admin on my account?

And what does being an admin on my account really mean? From the term it sounds like it’s not something that I as a regular user would ever get because it would give me far more access than would make any sense from a privacy and security perspective. Is that right?

Thanks,

Pito Salas

Hey @pitosalas,

I’m happy to help out here!

JWT Credentials provide unfettered, account-level, access and there isn’t a way to change the scope of access that is available or for an end-user to authorize the scope of data access. For this reason, JWT credentials don’t follow security/privacy best practices as closely but are excellent when making API calls that don’t involve user interaction.

If you just want to obtain recording files for your own recordings, you should be able to use a User Level OAuth app along with the recording:read scope to call the Get Meeting Recordings API. If that doesn’t help, try using the me route with the API.

Being an Admin on your account means that your user has the role “Admin”. However, you can use Admin scopes with different roles if you provide the Marketplace and Developer permissions to that user along with the relevant permissions to access the data behind those scopes (permission to manage users for the Create a User API).

You can create a “Developer” role that would allow you to create/install Account-Level (and therefore admin) apps but this might also be a blocker for your IT team.

Thanks,
Max

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.