Replying to my own posting based on further trial-and-error and observation, along with information I found in this related thread:
The OAuth for Zoom authentication process looks like:
- Ask a human to visit your app’s
https://zoom.us/oauth/authorize?response_type=code&client_id=x&redirect_uri=https://foo.localURI and authorize it.
a. That human must have an account that can authorize the app
b. S/he must use the web UI to do this step; it can not be automated
c. The result of this step is an authorization code - Use the authorization code provided by your human to do the POST
https://zoom.us/oauth/tokenstep
a. After you do this step one time, the authorization code from step one is history (it won’t work again)
b. The result of this step is a token set, consisting of an access token and a refresh token - Use the access token to call the Zoom API and pull data
a. The access token expires after one hour
b. The refresh token expires after fifteen years
c. To get a new access token issue a request for a new one using the refresh token
You will need a persistent area to hold on to the access token and (especially) the refresh token. If you lose the refresh token you will be starting over from step 1 above.
My feeling at this point: if you need to authenticate in a batch process, use JWT if at all possible. The OAuth flow is an order of magnitude more complex. (Unfortunately, it appears using OAuth is the only way to limit access/scope for an account.)