Token Based Login for custCreate Users

Hello Zoom Folks!

Is there a way to have custCreated users join sessions as authenticated?

I have a Zoom app that creates API managed users for all of our platform users. I would like to have those specific users be able to join sessions with their managed profiles.

There are two things I want to achieve here. First, I would like users to be able to show up as themselves in the participants list.

This appears to be possible by getting a zak token for a user and adding it to the join url. Though this appears to work, I can’t find it documented anywhere, and I wouldn’t necessarily count on it being there for any length of time unless it is documented. If this is expected behavior, could you point me to the docs on the subject?

All of that does seem somewhat indirect. What I would really like to do is lock down the sessions so that only invited individuals can attend.

I can sort of do this with registrations, but the downside is that it doesn’t actually appear possible to register users by their account ids. I suppose this is fine, because I have their email address and name, and I can register on behalf of them, but it seems like there should be a more direct way.

At any rate, in the end, outside of a desire to ensure that known entities are connecting to our sessions, I would like for these users to show up as themselves under past participants. Regardless of whether I add the zak token to the join url, or whether I add a user as a participant, they still show up as “Name unavailable” in the dashboard, and they show up as:

  participants: [
      id: '<actual host id>',
      name: '******',
      userEmail: '******'
    { id: '', name: '******', userEmail: '******' }

when I make a request to the past participants api.

We are able to infer who is who for the most part, but I would really like to be able to draw a nice straight line to every user in our system and when they connected.

So to recap, is there a best way to get all participants to be authenticated when they are custCreate users and have them show up in the participants list?

Thanks in advance.

Hey @jc1,

A few follow up questions so I can help debug.

  1. Are you trying to have custCreate users join your Zoom meetings?

  2. The GET User Token endpoint is for starting meetings, not joining. Is that the endpoint you are referring to?

  3. Do you have a Hipaa Zoom account by any chance?

  4. Have you tried authenticating your meetings with a password, and only sharing the join_url with the authorized participants?



Thanks for the follow up.

  1. Yes, that is currently what is happening. We have a host that schedules a meeting, and then our platform distributes the join link amongst the participants. All users joining the meeting already have custCreate users, so it would be really nice if I could add them as participants to that meeting directly by their Zoom IDs.

  2. Yes, though that isn’t my purpose here. When you get a start url for a meeting for a custCreate user, it is in the form<meeting_id>?zak=<a jwt where the uid claim is the user's id>. I figured, what the heck, let me see what happens if I get a zak token (from the docs):

  "type": "object",
  "properties": {
    "type": {
      "type": "string",
      "enum": [
      "description": "User token types:<br>`token` - Used for starting meetings with the client SDK.<br>`zak` - Used for generating the start meeting URL. The token expiration time is two hours. For API users, the expiration time is 90 days."
  "required": []

and create a join url like<meeting_id>?zak=<user token>.

Turns out that in the version of the zoom client I used to test this (I think it was 4.x but I’m not 100% as I have updated to 5.x recently), it actually identified the user properly in the participants view. Again, not sure if this is intended behavior or not, but it does appear to be working here.

  1. I do. I’m guessing there’s something to unpack here.

  2. It isn’t so much the security risk as it is that I only get 1 join url. I would like to be able to get a distinct join url for each participant, or at least some kind of token that I could check for in the participants view that I could tie back to a user in my system. We are working on getting our current meetings password protected at present, but using the join url with the password token baked into it isn’t going to be a problem.

Hope that clarifies things.

Hey @jc1,

Thanks for the additional details.

Does adding the users zak token to the join_url still work in Zoom 5.X? That is the expected flow. :slight_smile:

Your other best option is to register the custCreate user for the meeting. A unique join_url will be returned with their name will be encoded in the url, which is carried over to the meeting and report / dashboard endpoints.