Zoom OAuth 2

Zoom provides an OAuth 2 implementation to authenticate a Zoom user in your application or workflow without a need for them to expose their username/passwords/API credentials. Below are some guides on how to get started.

Meetingbird has used oAuth handshake with our platform and has published an example code. check out their git repo”

Step 1

Register your OAuth Application at developer.zoom.us.

Provide an App Name, Description, Icon URL and Redirect URI (you can provide multiple in a comma separated string). The App Name must be unique and not previously registered.  After completing the information click “Register” and you should be presented with a Client ID and Secret. Take note of this information.

Step 2

Present the user with an action to Authorize Zoom, this can be a link or a button. When the action is triggered redirect the user to the Zoom OAuth authorization url https://zoom.us/oauth/authorize with the following parameters: response_type, client_id and redirect_uri

Parameter Description
response_type This is the authorization type. This will always be set to “code”.
client_id The client identifier issued to the client during
the registration process
redirect_uri Where to redirect the user back to after authorization. This must match one of the redirect URIs used during registration.

 

An example complete url would be similar to:

https://zoom.us/oauth/authorize?response_type=code&client_id=jzqjgCxPSQSJ4wj6BeWrtQ&redirect_uri=https://myapp.com/oauth

Step 3

Assuming the user confirmed authorization of your application, the will be redirected to the redirect_uri with a query parameter ‘code’

https://myapp.com/oauth/?code=eYanu1uG5TucLenI

You will then use the ‘code’ value to obtain an OAuth token. Making a server side request to https://zoom.us/oauth/token providing the parameters: grant_type, code and redirect_uri and using Basic Authentication where user is client id and password is client secret.

Parameter Description
grant_type This is the grant type. This will always be set to “authorization_code”.
code This is the code returned in the previous step
redirect_uri Where to redirect the user back to after authorization. This must match one of the redirect URIs used during registration.

 

Make sure that you add the Basic auth header to this request with username set to client id password set to client secret as follows:

An example cURL request would look like

curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" \
--user jzqjgCxPSQSJ4wj6BeWrtQ:333fR0hA019TduHjKsFWMWDurToMEKWw \
--data 'grant_type=authorization_code&code=eYanu1uG5TucLenI&redirect_uri=https://myapp.com/oauth' \
https://zoom.us/oauth/token

 

The response will be:

{
    "access_token":"5kwaMOrdEFWx1jYVK8qg80cImPYBA83Z",
    "token_type":"bearer",
    "refresh_token":"Ggf2816C5ANa6XVplzO8vwE6IRIXtjvE",
    "expires_in":3599,
    "scope":"meeting:write user:read recording:write webinar:write"
}

Step 4

Now that you have an OAuth token you can use it to call the APIs on behalf of the user.  You authenticate the api call by passing an Authorization header and bearer token.

curl -H "Authorization: Bearer 5kwaMOrdEFWx1jYVK8qg80cImPYBA83Z" https://zoom.us/api/profile

Notes

In Step 3 you’ll notice that you also received a refresh_token and a expires (how long the token is good for in seconds) value. If you need to make additional calls after the token expires you will need to refresh your original token. You can do this similar as in step 3, modifying grant_type to ‘refresh_token’ and instead of ‘code’ pass the ‘refresh_token’

curl -X POST -H "Content-Type:application/x-www-form-urlencoded" \
--user jzqjgCxPSQSJ4wj6BeWrtQ:333fR0hA019TduHjKsFWMWDurToMEKWw  \
--data 'grant_type=refresh_token&refresh_token=Ggf2816C5ANa6XVplzO8vwE6IRIXtjvE' \
https://zoom.us/oauth/token

 API availability

The following APIs are now available to be used with the oAuth token.

User API

Meeting APIs

Webinar APIs

Cloud Recording

Node.js Example

The below is some example code in Node.js that would be your redirect URI location.