Updates to Meeting SDK Authorization

Hello Developers!

You may have received an email about upcoming changes to how Meeting SDK apps authorize and attribute users. We know this update may raise some questions or require extra guidance as you plan your next steps.

This thread is your space to ask questions, share feedback, or discuss how these changes might affect your apps. Our team will be monitoring this post and ready to help clarify your options.

To recap:
Starting February 23, 2026, apps that access meeting content — including Meeting SDK apps that join as participants — will need to attribute to a user when joining meetings outside their own account. Anonymous joins will no longer be supported.

You have a few different paths available, depending on your use case:

• Meeting SDK On Behalf Token (OBF): For apps that join as a participant on behalf of a user.
• Meeting SDK ZAK Token: For apps joining as the signed-in user.
• Realtime Media Streams (RTMS): For apps that need direct access to meeting media without appearing in the participant list.

To support your transition, we’re hosting weekly live information sessions. Use this registration link to join the session that works best for your region:

• US/ Americas: Weekly, starting Nov 19, 11:00 AM PST
• APAC/EMEA: Weekly, starting Nov 20, 9:00 AM GMT

We know changes like this take time, so we’ve pulled together a few new resources to make things easier:

• Developer Guides: We’ve refreshed our docs with updated guidance — including a brand-new companion guide, Transitioning to On Behalf Token, to walk you through key updates step by step.
• UX Resources: Curious how these changes look and feel in action? Check out our new video, Improving user experience for Meeting assistant apps with RTMS and the associated blog for tips and best practices.

If you can’t make a session or want to start the conversation now, post your questions and feedback below. Whether you’re deciding between RTMS or OBF Token, or just need help understanding the migration paths, we’re here to support you.

For published apps:
When you’re ready to update your app, go to its Information Page and confirm under the Development tab that your Development Redirect URL is correctly configured, then set up a staging or dev environment where the Zoom reviewer can test using their own tester account.

When submitting, include testing instructions or a link in the Release notes for the app reviewer field, and if login is required, provide credentials under Test account and credentials. During review, the reviewer will log in to your test environment, authorize the development credential, and verify that your app correctly uses the new scope and attributes to the user in the meeting.

Does this also apply when using unauthenticated guest users (without OAuth or any form of authentication)?

Hi @scrum, that’s correct. The Meeting SDK will need to be authenticated (either with a ZAK token or OBF token) to join meetings outside of its own account.

Can you provide more guidance on what we need to do to support unauthenticated guest users joining outside meetings? For reference we are use the Web Meeting SDK - using the Client view.

Our app use case allows users to join different zoom meetings that are hosted by a bunch of different outside organizations. The end users don’t get to choose the meeting, we automatically direct them to the correct meeting. 99% of the users joining do not and will not have a zoom account (and it is impractical for us to have them login/oauth authorize to just to join a meeting).

From my initial read of the requirements the ZAK token workflow seems to be the only option.

The only way that I see to get a ZAK token for every user that joins is to create a Service account in my organization and use its to create valid ZAK tokens for every unauthenticated user.

Is this the pattern that Zoom is recommending?
What are the limitations of this Method?
Is there a limit to the number of meetings that a single users ZAK token can join at the same time?
Should we be using a different implementation instead (OBF?)

Kile,

In order to enhance user experience and strengthen accountability and transparency meeting apps are required to be attributed to a user. This requires meeting apps to authorize with the users ZAK or the Users On Behalf Of token. This means that the App user must also be a Zoom user and the user must be present in the meeting.

Using a service account’s ZAK for all app users would not allow the app to join the meeting since that user is not actually present in the meeting. In that case the app join would fail.

Does that mean that every user has to manually register an account? Or can the accounts be programatically created? Is there any cost associated with creating the accounts?

I was curious to get your thoughts on Apple’s App Review Guideline 5.1.1 (v) regarding Account Sign-In:

If your app doesn’t include significant account-based features, let people use it without a login.

Have you considered if this Apple requirement would be in conflict with the requirement to sign in to access a Zoom meeting, where the an app may not have “significant account-based features” around that Zoom account?

Also curious about the answers to @scrum’s questions. If there is a way to create accounts, Apple also requires that apps provide a way to delete accounts.