Zoom OAuth Setup
Set up the Recall Zoom OAuth integration.
Granular scopes
Zoom introduced new "granular" scopes in April 2024 to replace their Legacy scopes. Existing apps are unaffected, but any newly created apps will use these new granular scopes.
For previously created apps using Legacy scopes, see Zoom OAuth Setup.
1. Zoom App Setup
Create the App
Navigate to the Zoom App marketplace and select Develop > Build App
Creating a new Zoom App
Select General App in the dialog:
Select how your users will manage your app:
- User-managed: Individual end users authenticate via OAuth
- Account-managed: Zoom account admins authenticate the app for their entire organization
Select how the app is managed: User vs Admin-managed
In general, if your app serves individual end users, you should default to User-managed. If your app is used by entire organizations, you should use admin-managed.
Scopes
For the Zoom OAuth integration to work properly, we need to include a several OAuth scopes.
These are different for user-level and account-level apps - make sure to select the scopes accordingly.
User-level (user-managed) scopes
| Scope Name | Purpose |
|---|---|
meeting:read:local_recording_token | This scope is used to retrieve the "Join Token For Local Recording", which is provided to the bot to allow it to automatically begin recording without prompting the host for permission. |
meeting:read:list_meetings | This scope is used to enumerate all of a user's scheduled meetings, so that a "Join Token for Local Recording" can be generated when a bot is sent to one of the meetings. |
user:read:user | This scope is used to read the user's Personal Meeting ID (PMI), so that a "Join Token for Local Recording" can be generated when a bot is sent to that meeting. |
user:read:zak (Optional) | This scope is only required if you're using the same Zoom app for meeting SDK functionality (configured in the Recall dashboard ) and your OAuth integration. If you're using a separate app for OAuth, this scope should be omitted. This scope is enabled automatically if Meeting SDK functionality is enabled on your OAuth app, and cannot be removed |
OAuth scopes for user-managed apps
The user:read:zak scope is only required if you're using the same Zoom App to
provide Meeting SDK functionality to your Zoom bots.
For the scope description, we recommend the following:
These scopes are used to give local recording permissions to meeting bots on behalf of the user. The user's ID as well as their meeting ID's (including their PMI) are stored in order to know which meetings to generate local recording join tokens for. All data is encrypted at rest.
Account-level (admin-managed) scopes
| Scope Name | Purpose |
|---|---|
meeting:read:local_recording_token:admin | This scope is used to retrieve the "Join Token For Local Recording", which is provided to the bot to allow it to automatically begin recording without prompting the host for permission. |
meeting:read:list_meetings:admin | This scope is used to enumerate all users' scheduled meetings, so that a "Join Token for Local Recording" can be generated when a bot is sent to one of the meetings. |
user:read:list_users:admin | This scope is used to read the users' Personal Meeting ID (PMI), so that a "Join Token for Local Recording" can be generated when a bot is sent to that meeting. |
OAuth scopes for admin-managed apps
In the Scope Description, we recommend the following response:
The local recording token scope is used to give meeting bots recording permission. The list users scope is used to retrieve all users for the Zoom account. The list meetings scope is used to get all meetings for a given user in the workspace. The users' meetings and account ID are stored in a database and are encrypted at rest.
Save your app details
Once you've set up your Zoom app, you should save the following 3 pieces of information from your Development application:
- Zoom App Client ID
- Zoom App Client Secret
- Zoom App Secret Token
Your client ID and client secret can be found under Build your app > Basic Information or simply in the Application Credentials card in the top left.
The Zoom App Secret Token can be found under Build your app > Features > Access
The Zoom App Secret Token is provided to Recall in order to validate incoming webhooks from Zoom.
We recommend storing these in a .env file for local development. This will make it simple to change these values to the corresponding production credentials when your Zoom app is approved.
2. Create the OAuth App in Recall
To create the Zoom OAuth App in Recall, send a POST request to the Create Zoom OAuth App endpoint.
The body should include:
kind:user_leveloraccount_leveldepending on your appclient_id: The client ID from the previous stepclient_secret: The client secret from the previous stepwebhook_secret: The secret token from the previous step
For simplicity, you can create this directly from the Create Zoom OAuth App API reference:
Keep the returned ID!
Store the id returned in the response somewhere easily accessible - you'll need this in the following steps.
This is your Recall Zoom OAuth App ID.
3. Configure webhooks
In order to automatically fetch tokens for a user's Zoom meetings, Recall needs a way to stay in sync with Zoom as new meetings are created.
To do this, we have to configure our Zoom app to send webhooks to a Recall endpoint - a webhook endpoint specific to the Zoom OAuth app you just created in the last step.
Add events
Click the "Add Events" button and select the following events:
Meeting > Meeting has been created
User > User's profile info has been updated
This is required to keep the personal meeting ID of the user in sync.
Add the event notification endpoint URL
Build your webhook URL using your Recall Zoom OAuth App ID:
https://us-east-1.recall.ai/api/v2/zoom-oauth-apps/{RECALL_ZOOM_OAUTH_APP_ID}/webhook
Note: Make sure to replace us-east-1.recall.ai with the appropriate base URL depending on your Region
If your server needs to receive these webhooks:
- Enter your own server's webhook endpoint in these fields
- Forward every Zoom webhook received to the Recall endpoint constructed above
- You must include the x-zm-request-timestamp and x-zm-signature headers.
- You must not modify the webhook body in any way. This includes any re-ordering of parameters that might happen when deserializing and re-serializing.
Enter this in the Event notification endpoint URL and save the event subscription.
Your Zoom app is now set up for the Recall OAuth integration. Almost there!
Recall vs customer managed OAuth
The next (and final) step is to implement the OAuth flow for your users in order to actually connect their Zoom accounts.
Once a user has gone through the OAuth flow, you can either manage access and refresh tokens on your end or have Recall manage these for you.
In general, we highly recommend using Recall-managed OAuth by default, unless:
- You already have an integration with the Zoom OAuth API.
- You need to call the Zoom API endpoints for other functionality in your app.
Before continuing
Make sure you have these saved for the final step:
- Zoom App Client ID
- Zoom App Client Secret
- Zoom App Secret Token
- Recall Zoom OAuth App ID
Updated about 8 hours ago
Implement the OAuth Flow: Recall vs Customer-managed OAuth