Updates to Meeting SDK Authorization

Hello Developers!

You may have received an email about upcoming changes to how Meeting SDK apps authorize and attribute users. We know this update may raise some questions or require extra guidance as you plan your next steps.

This thread is your space to ask questions, share feedback, or discuss how these changes might affect your apps. Our team will be monitoring this post and ready to help clarify your options.

To recap:
Starting February 23, 2026, apps that access meeting content — including Meeting SDK apps that join as participants — will need to attribute to a user when joining meetings outside their own account. Anonymous joins will no longer be supported.

You have a few different paths available, depending on your use case:

• Meeting SDK On Behalf Token (OBF): For apps that join as a participant on behalf of a user.
• Meeting SDK ZAK Token: For apps joining as the signed-in user.
• Realtime Media Streams (RTMS): For apps that need direct access to meeting media without appearing in the participant list.

To support your transition, we’re hosting weekly live information sessions. Use this registration link to join the session that works best for your region:

• US/ Americas: Weekly, starting Nov 19, 11:00 AM PST
• APAC/EMEA: Weekly, starting Nov 20, 9:00 AM GMT

We know changes like this take time, so we’ve pulled together a few new resources to make things easier:

• Developer Guides: We’ve refreshed our docs with updated guidance — including a brand-new companion guide, Transitioning to On Behalf Token, to walk you through key updates step by step.
• UX Resources: Curious how these changes look and feel in action? Check out our new video, Improving user experience for Meeting assistant apps with RTMS and the associated blog for tips and best practices.

If you can’t make a session or want to start the conversation now, post your questions and feedback below. Whether you’re deciding between RTMS or OBF Token, or just need help understanding the migration paths, we’re here to support you.

For published apps:
When you’re ready to update your app, go to its Information Page and confirm under the Development tab that your Development Redirect URL is correctly configured, then set up a staging or dev environment where the Zoom reviewer can test using their own tester account.

When submitting, include testing instructions or a link in the Release notes for the app reviewer field, and if login is required, provide credentials under Test account and credentials. During review, the reviewer will log in to your test environment, authorize the development credential, and verify that your app correctly uses the new scope and attributes to the user in the meeting.

Does this also apply when using unauthenticated guest users (without OAuth or any form of authentication)?

Hi @scrum, that’s correct. The Meeting SDK will need to be authenticated (either with a ZAK token or OBF token) to join meetings outside of its own account.

Can you provide more guidance on what we need to do to support unauthenticated guest users joining outside meetings? For reference we are use the Web Meeting SDK - using the Client view.

Our app use case allows users to join different zoom meetings that are hosted by a bunch of different outside organizations. The end users don’t get to choose the meeting, we automatically direct them to the correct meeting. 99% of the users joining do not and will not have a zoom account (and it is impractical for us to have them login/oauth authorize to just to join a meeting).

From my initial read of the requirements the ZAK token workflow seems to be the only option.

The only way that I see to get a ZAK token for every user that joins is to create a Service account in my organization and use its to create valid ZAK tokens for every unauthenticated user.

Is this the pattern that Zoom is recommending?
What are the limitations of this Method?
Is there a limit to the number of meetings that a single users ZAK token can join at the same time?
Should we be using a different implementation instead (OBF?)

Kile,

In order to enhance user experience and strengthen accountability and transparency meeting apps are required to be attributed to a user. This requires meeting apps to authorize with the users ZAK or the Users On Behalf Of token. This means that the App user must also be a Zoom user and the user must be present in the meeting.

Using a service account’s ZAK for all app users would not allow the app to join the meeting since that user is not actually present in the meeting. In that case the app join would fail.

Does that mean that every user has to manually register an account? Or can the accounts be programatically created? Is there any cost associated with creating the accounts?

I was curious to get your thoughts on Apple’s App Review Guideline 5.1.1 (v) regarding Account Sign-In:

If your app doesn’t include significant account-based features, let people use it without a login.

Have you considered if this Apple requirement would be in conflict with the requirement to sign in to access a Zoom meeting, where the an app may not have “significant account-based features” around that Zoom account?

Also curious about the answers to @scrum’s questions. If there is a way to create accounts, Apple also requires that apps provide a way to delete accounts.

Hi,

Just a few clarifications:

• This is quite a big change for us and if I understand correctly it’s now required to authorize individual users joining the zoom meeting via OAuth and issue ZAK/OBF tokens. Also in Meeting SDK Auth, it states that anonymous join can still work only if the meeting is hosted on the same account where the app is hosted?
• Is it possible to issue multiple ZAK or OBF tokens from the same zoom account and allow it to join zoom meetings? Will there be restrictions in the future such that the participant can only join in one device at a time?
• Is there a way to test using development credentials of our app where joining without ZAK/OBF will now fail?

Thanks.

Hi @ryan6
We created an FAQ to address some of the questions you may have regarding the Meeting SDK authorization updates:

Let us know if this is helpful, and feel free to reach out if you have any feedback or additional questions.

Hi,

Currently, a meeting participant (a real person) can join a Zoom meeting via the SDK without a Zoom account, simply by using the meeting ID and password, and then being admitted by the meeting host.

However, the new update requires the SDK to join a meeting using ZAK or OBF tokens, both of which need to be bound to an account.

Does this mean that there will no longer be an option for a meeting participant to join a meeting without a Zoom account via the SDK?

Thank you

@elisa.zoom

Hi,

I have a question about using OBF tokens for Meeting SDK apps.

I’ve reviewed the following documents:

• OBF token transition blog:
  /blog/transition-to-obf-token-meetingsdk-apps/

• “Get a user’s token” API:
  /docs/api/rest/reference/user/methods/#operation/userToken

From these, my understanding is that a typical pattern is:

• Each end user authorizes with the granular scope user:read:token, and

• The app then calls GET /users/me/token?type=onbehalf to obtain an OBF token.

I’d like to confirm two points:

1. Using admin granular scopes

   If an OAuth app is authorized by an account admin with the granular scope user:read:token:admin, can the resulting access token call
   GET /users/{userId}/token?type=onbehalf
   for arbitrary users in the same account (i.e., obtain OBF tokens on behalf of multiple users without each user completing their own user:read:token consent flow)?
   Or is per-user consent still required in order to issue an OBF token for that specific user?

2. Impact on Zoom Rooms

   Does the new OBF / “no anonymous joining” requirement also apply when a Zoom Room is in the meeting?
   For example, when a Meeting SDK app joins a meeting that includes a Zoom Room, is an OBF token still required for user attribution, or are Zoom Rooms treated differently for this change?

Any clarification or best-practice guidance for this scenario would be greatly appreciated.

Thanks in advance.

Hi @elisa.zoom

The registration link currently shows the future US/Americas sessions (Wednesdays 11:00 AM PST / Thursdays 3:00 AM HKT), which is quite late for most APAC developers.
Will there be any future APAC-friendly time slots (for example, Thursday 9:00 AM GMT / 5:00 PM HKT as mentioned for EMEA/APAC in some announcements), or a separate registration link for the APAC/EMEA sessions?

It would be really helpful for the APAC developer community to have a more convenient timing. Looking forward to your reply!

Thanks again!

@elisa.zoom
Excuse me for the additional question.

I am planning to update to **Meeting SDK for Web 5.0.0** and implement the OBF (On Behalf Of) token flow.

To ensure my integration is robust, I would like to verify my error handling logic **before** the February 23, 2026 deadline.

**My Question:**
Is there a way to simulate the enforcement of the “no anonymous joining” policy right now?

Specifically, I want to intentionally trigger the error state that will occur if an app tries to join without a valid OBF token (or with an invalid one) after the enforcement date. I need to understand:

1. **How to force this failure state** in a test environment today (e.g., is there a specific flag or account setting to reject anonymous SDK joins immediately?).
2. **What specific error codes or event payloads** the Web SDK 5.0.0 will return in this scenario (e.g., will it be a join failure error code, or a specific `user_leave` reason?).

Having this information is crucial for us to implement proper error handling (e.g., fallback logic or user alerts) in our application.

Thank you in advance for your guidance.

Hi team — I was trying to locate the Meeting SDK - Android changelog post titled Requiring authorization for meetings joined outside of an app’s account on the Zoom developer site, but couldn’t find it at the original URL anymore. I also reviewed the general Zoom developer “Meeting SDK” changelog page — still no sign of that specific item.

Could you please confirm whether that change log entry was intentionally removed or relocated? If it was moved, can you share the new location (or point to the updated post/docs) ?

Thank you!

In our case we have an app registration for the Meeting SDK. I think this is an older type of registration. Our app is hosted internally and has never authenticated to Zoom. We just pass the client id, secret, meeting number, meeting password, and a use name. This allows our app to join the meeting as a host. We’ve never had to deal with ZAK or OBF tokens up to this point.

In this use case, would we still be affected by this change? I suspect this type of app registration may me deprecated in the future. I can only create General, Server to Server, or Webhook Only registrations currently.