Understanding OAuth for Zoom


I have a specific set of questions about OAuth for Zoom.

Which App Type (OAuth / Chatbot / JWT / Webhook)?

Which Endpoint/s?

  • https://zoom.us/oauth/authorize
  • https://zoom.us/oauth/token

Additional context

I’m in the process of writing a prototype batch application that needs to:

  • Authenticate/authorize to Zoom
  • Pull and process data

I already have everything working correctly for JWT, which is simple and straightforward. With JWT, I can run in batch and all is well.

However, I am not sure I correctly understand how OAuth is supposed to work in this context. According to the documentation:

  • Step 1: Request User Authorization - GET https://zoom.us/oauth/authorize
  • Step 2: Request Access Token - POST https://zoom.us/oauth/token

I’ve followed the directions and provided the appropriate query parameters for Step 1, but no matter what I try I’m not able to get this to work in batch. It always requires a user to interactively log in (using a web browser), after which I’m issued an authorization code.

This obviously will not work for a batch application. I need it to be programmatic, without user interaction.

So far, my stop-gap for this prototype has been to:

  1. Interactively log in to Zoom using https://zoom.us/oauth/authorize?response_type=code&client_id=x&redirect_uri=https://foo.local
  2. Make a note of the authorization code that is issued
  3. Provide that authorization code (as an environment variable) to my batch application
  4. Let my batch application do the POST https://zoom.us/oauth/token using the authorization code from above
  5. Batch application receives the access token
  6. And so on… make more calls, get data, etc.

Could someone help me understand what I’m missing? Should I be able to make a programmatic (read: no human involvement, no web browser) request to https://zoom.us/oauth/authorize? Or does it always involve a human, by design? If it does always involve a human, then do the authorization codes expire?

Thanks in advance for your help.

Replying to my own posting based on further trial-and-error and observation, along with information I found in this related thread:

The OAuth for Zoom authentication process looks like:

  1. Ask a human to visit your app’s https://zoom.us/oauth/authorize?response_type=code&client_id=x&redirect_uri=https://foo.local URI and authorize it.
    a. That human must have an account that can authorize the app
    b. S/he must use the web UI to do this step; it can not be automated
    c. The result of this step is an authorization code
  2. Use the authorization code provided by your human to do the POST https://zoom.us/oauth/token step
    a. After you do this step one time, the authorization code from step one is history (it won’t work again)
    b. The result of this step is a token set, consisting of an access token and a refresh token
  3. Use the access token to call the Zoom API and pull data
    a. The access token expires after one hour
    b. The refresh token expires after fifteen years
    c. To get a new access token issue a request for a new one using the refresh token

You will need a persistent area to hold on to the access token and (especially) the refresh token. If you lose the refresh token you will be starting over from step 1 above.

My feeling at this point: if you need to authenticate in a batch process, use JWT if at all possible. The OAuth flow is an order of magnitude more complex. (Unfortunately, it appears using OAuth is the only way to limit access/scope for an account.)

That is correct. For Batch processes, use a JWT Token.

OAuth is meant for Zoom users to authorize your app to read/write on their behalf, for example, installing any app here: http://marketplace.zoom.us/


@tommy Thanks for clarifying.

1 Like

Happy to help! :slight_smile:


i just created another new topic (Longevity of OAuth UserManaged code) about the longevity of the authorization code and in reading this thread it seems it is only good for one use in getting an access/refresh token? do we need to request user for authorization again via the marketplace application Installation URL? thank you…

Hey @sabraha5,

Correct. The code in the redirect url query param is just for getting an access and refresh token. You will never use that same code again, it does not need to be stored.

No, just simply refresh the access token.


1 Like