Use a JWT token instead of appkey and secret?

Hey there, ive integrated zoom sdk into my own app as shown in the docs (importing the commonlib.aar and mobile.aar packages into my personal project). Ive come across a problem now. The app currently has the appkey and secret hardcoded inside it. I would instead like to use a JWT token. I have generated the token as directed in the docs here and implemented it in the app as follows:

public void initializeSdk(Context context , String key, String secret) {
ZoomSDK sdk = ZoomSDK.getInstance();
ZoomSDKInitParams params = new ZoomSDKInitParams();
params.jwtToken = my_token; // I havent writen the token here cause i dont know if its safe
params.domain = “zoom.us”;
params.enableLog = true;
ZoomSDKInitializeListener listener = new ZoomSDKInitializeListener() {
@Override
public void onZoomSDKInitializeResult(int errorCode, int internalErrorCode) {
}
@Override
public void onZoomAuthIdentityExpired() {
}
};
sdk.initialize(context, listener, params);
}

However it doesnot work and throws an exception. So, how do i properly use a JWT token with my app? Also in terms of best practice, should i hardcode my token in the app or store it on a backend server and then recieve it from there?

P.s maybe im not generating the token correctly. I want my token to expire after 1 month so i set botk tokenExp and exp 1 month from the current time(in epoch). Is this approach correct or am i doing somrthing wrong?Also how do i make it so that the token never expires and what are the benifits or disadvantages of using such a token that never expires?

Hey @abduljav123,

Thanks for using the dev forum!

What is the exception you are getting?

The JWT simply provides an additional layer of security around your key and secret. The nice thing about a JWT is that it is temporary. As in, if your JWT was obtained by someone else you would at least have the protection of an expiration time. The JWT is handed to the SDK the same way key/secret would be, except it allows you to auth the SDK without hardcoding your key and secret directly into the application.

You should not generate your JWT clientside. You should have it reach out to a server that can create one for you when it is needed. Please do not hardcode your key and secret into your application.

Zoom JWT’s have a maximum lifetime of 48 hours. Generating one to last a month will not work. The disadvantage of a JWT with a long expiration time is that it defeats the purpose of an expiration time. The expiration time protects you (and zoom) from having your JWT compromised and then used. Ideally, you would want the expiration time as short as possible.

Thanks!
Michael