ZAK token security - Redirecting user to `start_url`

I’m developing a web app that use Zoom API to CRD meetings from the backend. When a user created a meeting, my own API will forward start_url from Zoom API response to the web frontend to redirect the host to this URL. (but not for participant)

Is it ok to do this as the start_url contains user ZAK token?

I confused with response from Zoom security review that “Zoom auth “zak” key is returned to the users browser when it should be kept secret”.

Greetings, @44kia244,

Welcome to the Developer Forum. Can you share more context on what you are looking to accomplish? Are you looking for guidance on how to pass the Zoom security review? If so, has the marketplace reviewer provided you with alternative options?

Thanks for your reply,

Actually, this issue has been resolved since a while after posting this topic. This is the story behind this issue and how it resolved.

I implemented an application that allow users to create a meeting on the application. So I create an authenticated API endpoint to create meeting on Zoom Meetings API on behalf of the authenticated user. (e.g. POST my.api/meetings/create) Then return start_url to the client side for redirecting user to start the meeting.

After submitting my application for a security review. A reviewer send me a couple of security issues. One of them is the start_url (contains ZAK token) should not be sent to the client side.

I didn’t agree with this finding as the Zoom API documentation says that the start_url should not be shared with anyone – other than the host. Another reason is the Zoom meeting SDK for React also requires this ZAK token to start a meeting.

After some email conversation with reviewer. Zoom marketplace security team has confirmed that this is not an issue as the request is always authenticated as the host. So this issue is resolved.

Awesome, thank you so much for your back story and solution, @44kia244! Glad that the issue is now resolved. I will go ahead and close this thread.