Webhooks and OAuth

Hello all and thank you for your time.

I’m working on an OAuth app due to the necessity to be user-managed. My confusion lies around if I need to use OAuth tokens or not for my app’s functionality.

The intention is for the app to receive webhooks from consented Zoom accounts. All of the functionality works strictly based upon the webhooks, but it is required to be an OAuth app so that multiple accounts can install the application.

In order to receive webhooks from other Zoom accounts, do I still need to utilize the OAuth token myself? I am not requesting any information from Zoom other than utilizing webhooks associated with Meetings Events
e.g. Meeting Created, Meeting Started, and Meeting Ended.


Hey @chrismmalecki,

Good question! You do not need to use the access_token if your app only uses the webhooks!


Just for me to be 100% sure, I will still be able to receive the webhooks from other accounts that install my app and not be limited to only receiving webhooks from my own account?

Also, I noticed I have to review and sign the Zoom Marketplace Developer Agreement. The intended purpose of this app is for a local community to provide a service during the pandemic and not the product of any sort of company or organization specifically. Because this is not authorized or used by any sort of company, is it automatically not eligible to be used by other accounts? I’m starting to wonder if all my work is for nothing based on the last requirements for submitting my application for review by Zoom.

No, you won’t need the access_token, but you will have to complete the OAuth2 Authorization Flow for the installation to be valid and the customer to authorize your app.


OAuth2 Authorization Flow is required for anyone to be able to install your app, and the result of that operation is you are provided an access_token you can use to make API requests on behalf of that customer (or to refresh the access_token in cases where you need to perform an action on behalf of the user in the Zoom API, but the access_token is expired).

If you app enables the Event Subscription (Webhooks) feature, once the app is installed, those webhooks will continue to flow to the endpoint you defined until:

  • The customer uninstalls the app
  • You as a developer revoke their token
  • You make a breaking update (adding/removing scopes and publishing your app), causing the customer to have to re-authorize the app
  • You disable the Event Subscription in your app (which is akin to the aforementioned breaking update)

The access_token is not needed in this case, but you will want to employ the Event Subscription’s “Verification Token” as means to prevent request-spoofing (so you know the HTTP POST Request is coming from Zoom).

There is a requirement for you to sign the Zoom Marketplace Developer Agreement, because that defines the terms you must adhere to in order to provide Zoom Customers (and Zoom) adequate protections. You WILL NOT be able to publish your app to Zoom App Marketplace unless you have submitted the app for review and it has been approved by Zoom. No Zoom Customer will be able to install your app until these criteria are satisfied.

The only exception is if you plan to conduct a private beta before you ACTUALLY publish to Zoom Marketplace, in which case you can submit a request for your app’s Publishable URL to be enabled. Then you can PRIVATELY share that URL for customers to install your app, but you cannot publicize this URL ANYWHERE nor are you permitted (until actually published on Zoom Marketplace) to state you have an official Zoom integration or app available.

Thank you so much for the very detailed response. This really clears up a lot for me. My last question I’m seeking some clarity on has to do with the Zoom Marketplace Developer Agreement. I have no problem agreeing to it (which I have already signed) and making sure all security and data compliance standards are met, but my application is being independently developed for the usage of a local community with potential scaling to many communities. (Alcoholics Anonymous)

Based on the statements;
“Your company’s authorized agent (CEO, CTO, Legal Team Member, etc…) must review and sign the Zoom Marketplace Developer Agreement” and " Email Service Provider domains are NOT accepted, such as: @gmail.com or @outlook.com. The email address used must be a valid domain, and an operational email address we can confirm during the review process."
I have the impression I will not be able to publish an app that integrates the Zoom API to be used for these purposes as we do not operate as a business or company.

Would you be able to provide any information about how something that is more like a network of small “organizations” could be approved to utilize the Zoom API?

In this case, where you are a “lone wolf developer”, you are the business owner, and are permitted to sign, but you must provide all the accurate information so we can reach out to you if there are issues, and you are required to adhere to ALL requirements (just like any other entity), such as: Supporting customers, marketing policies, security, etc…

We expect “lone wolf developers” to have their own verifiable domain, so we can confirm we know you aren’t a “bad actor” with malicious intents for Zoom customers.

For example, I have my own domain, and have configured Google Apps (my email provider) to use my email address <my_user>@<my_domain>.

We expect lone wolf developers to operate and conduct themselves like an ethical business if they want their apps published to Zoom App Marketplace (for mass distribution). If however, you are building an app for a specific customer as a contractor, then you can do one of the following to ensure, the customer is in control of how your app accesses their account.:

  1. Build the app using your Zoom account, and provide the code to the customer.

  2. Request a Publishable URL (for your app in Zoom Marketplace) which will, once approved by Zoom, allow the customer to install your app with the Publishable URL. Only do this if you plan on publishing to Marketplace in the long-run (and conducting yourself and maintaining your app as a business entity would, so you can sign the Marketplace Developer Agreement).

  3. Ask the customer to build an OAuth App, using the parameters you define (scopes, features, etc…), but they DISABLE the “Intend to publish to Marketplace” feature, and then they provide you this newly created app’s API Keys. Then the customer is in control of how your app accesses their account.

These three scenarios above would allow you to build an app, but the customer is in charge of their account and how your app accesses their Zoom account/data.

Does this make sense?

Perhaps, in the future, we may launch a Zoom Certified Developer Program, but until such time…these are the options available.


Thank you so very much for your time, patience, and clarity on how I can proceed.


Thanks for answer @bdeanindy! :slight_smile:


My pleasure! :smiley:

1 Like