Effective February 23, 2026, Zoom will enforce the use of an On Behalf Of (OBF) tokenfor Meeting SDK apps joining meetings hosted by external accounts. To comply, developers must implement the OAuth authorization flow with the user:read:token scope to retrieve the required OBF token via a REST API. For use cases requiring continuous data access or persistent recording, Realtime Media Streams (RTMS) is the recommended alternative.
Frequently Asked Questions (FAQ)
General Questions
Q: When does enforcement of the OBF token requirement begin?
A: Enforcement begins February 23, 2026. Meeting SDK apps must be on the SDK minimum version (5.17.5 or later) to remain compliant. Version 6.6.10 (released November 2025) or later includes improved error messaging for OBF-related issues.
Q: Can an OBF token be obtained from any meeting participant if the meeting is created by someone outside my organization?
A: No. OBF tokens can only be obtained for participants who have authorized the app (via OAuth) and are actively present in the meeting. The SDK app cannot join until that authorized user joins.
Q: Will the OBF token requirement apply to all SDK versions, including older ones?
A: Yes. Enforcement applies to all SDK apps starting February 23, 2026. Only SDK versions 5.17.5 or later will be supported for compliance.
Q: Can multiple OBF tokens be used at the same time to maintain continuous recording if one user leaves?
A: No. Each SDK session can use only one OBF token at a time, and it is tied to a specific user. When that user leaves, the session ends and must rejoin with another authorized token.
Q: Can the Meeting SDK app continue recording when the authorized user leaves the meeting?
A: No. The SDK session is tied to the presence of the authorizing user, so the session ends when that user leaves the meeting. For continuous or automated recording, Realtime Media Streams (RTMS) is the recommended alternative.
Q: Are meeting hosts required to belong to the same Zoom account as the SDK app?
A: No. The OBF requirement is specifically for apps that join meetings outside their own account, meaning the host is external. However, a participant in the meeting must have authorized the app via OAuth to generate the required OBF token.
Q: What is the recommended alternative for continuous or automated recording use cases?
A: Use RTMS, which supports persistent or automated recording.
Q: Can RTMS support continuous recording even if the host leaves the meeting?
A: Yes. RTMS allows continuous streaming independent of participant presence, as long as the host has authorized the app.
Q: What happens if a participant joins late or declines authorization—can the SDK app still join?
A: The SDK app cannot join until an authorized participant joins.
Q: Can a legacy note-taking apps remain compliant without migrating to RTMS?
A: Legacy apps must either adopt OBF token authorization flow or migrate to RTMS before February 23rd
ZAK vs. OBF Tokens – Understanding the Difference
Q: What is the difference between ZAK tokens and OBF tokens?
A: The key difference is who or what the token represents.
- ZAK tokens represent a person. They are used when the Meeting SDK app joins a meeting on behalf of an authenticated user.
- OBF tokens represent an app. They are used when the SDK app joins a meeting as an automated participant (for example, a recording or note-taking bot).
Q: Why do developers need to use OAuth when working with ZAK tokens?
A: ZAK tokens are tied to a specific Zoom user account. To generate a valid ZAK token, the user must authorize the app via OAuth so that the app can securely access their account and act on their behalf. Without this OAuth connection, the app cannot obtain a ZAK token or join meetings as that user.
Even if your app already includes the correct ZAK token scopes, each user must still connect their Zoom account to your app via OAuth before a token can be issued. Skipping this step will prevent your app from obtaining valid ZAK tokens and joining meetings successfully.
Q: Why is this OAuth requirement often overlooked?
A: Many developers embed Zoom functionality directly into their websites, where users may never visit the Zoom App Marketplace or explicitly “install” the app. In these cases, the need for an OAuth connection is not immediately obvious from the technical documentation, even though it is required for ZAK token generation.
Q: What should developers building embedded experiences keep in mind?
A: If your app uses ZAK tokens, you must design a user flow that includes OAuth authorization. This ensures each user securely connects their Zoom account to your app before joining or hosting meetings through the SDK. For automated or bot-like use cases where no user authorization is needed, use OBF tokens instead.