By this point, you should have:

• Created a Recall account
• Created a Zoom app in Zoom's app marketplace (if not, you can do so by following the steps found here) and have your Zoom app's development credentials
• Created your first bot and have a working end-to-end implementation of your entire Zoom app for a Zoom team member to review (if not, you can do so by following the steps found here)

📘

Zoom OAuth app and Zoom app must be using the same Zoom credentials

If you are submitting a Zoom app with Zoom OAuth, the Zoom OAuth must be using the same Zoom credentials (meaning the SDK and OAuth must be the same Zoom app)

Let's dive into navigating Zoom's app submission process! 👇

Watch the video recording version of this Zoom App Submission Guide

Implementation Guide

Step 1: Open up the production settings for your Zoom app

Head to your Managed Apps in Zoom's app marketplace. Click on the app you want to publish

After selecting your app, make sure you're in the production tab as this is where the app submission details need to be added

If you are not using OAuth and this field is blank, then update the OAuth Redirect URL to be your app's homepage URL

Step 2: Update the Scopes

Next, head over to the "Scopes" tab in the sidebar. By default, there is always one scope (pictured below)

For each scope listed, you must provide a reason why you need each of the scopes in your list in the Scope Description input box

📘

Note that if you add additional scopes, you will need to justify why you need it.

If you forget any scope descriptions, your app will be rejected

All apps must have the following Scope Descriptions included:

user_zak:read - This scope is unused, however cannot be removed from a Zoom SDK app.

... Additional justifications for other scopes here

If you are submitting an OAuth User-Managed app, make sure the following Scope Descriptions are included:

user_zak:read - This scope is unused, however cannot be removed from a Zoom SDK app.
meeting:read:local_recording_token - This scope is used to retrieve the "Join Token For Local Recording", which is provided to the bot to allow it to automatically begin recording without prompting the host for permission.
meeting:read:list_meetings - This scope is used to enumerate all of a user's scheduled meetings, so that we can match meeting ID's to hosts. This enables us to generate a "Join Token for Local Recording" using the correct host credentials when a bot is sent to one of the meetings.
meeting:read:meeting - This scope is enabled automatically if `meeting:read:list_meetings` is enabled, and cannot be removed.
user:read:user - This scope is used to read the user's Personal Meeting ID (PMI), so that a "Join Token for Local Recording" can be generated when a bot is sent to that meeting.

... Additional justifications for other scopes here

If you are submitting an OAuth Account-Managed app, make sure the following Scope Descriptions are included:

user_zak:read - This scope is unused, however cannot be removed from a Zoom SDK app.
meeting:read:local_recording_token:admin - This scope is used to retrieve the "Join Token For Local Recording", which is provided to the bot to allow it to automatically begin recording without prompting the host for permission.
meeting:read:list_meetings:admin - This scope is used to enumerate all users' scheduled meetings, so that a "Join Token for Local Recording" can be generated when a bot is sent to one of the meetings.
user:read:list_users:admin - This scope is used to read the users' Personal Meeting ID (PMI), so that a "Join Token for Local Recording" can be generated when a bot is sent to that meeting.

... Additional justifications for other scopes here

Step 3: Update the App Listing

Zoom requires you to have your developer information up to date. To do that, skip to the "App Listing" tab in the sidebar. From there you should end up in the App Information tab

Once here, there are several sections for you to fill out:

• Basic information - Every input (photo and text) must be filled out. You can add information about your app that every user will see
• Developer contact information - This is important because this is the email address Zoom will use to contact you if there are any issues/problems with your app. Make sure this is an email address you use
• Categorize your app - Choose at least 1 value for each

After you fill out this page, click on the Link & Support tab

Zoom is very particular on what these links contain and will check/deny your submission if the links don't contain certain information. Make sure each link contains the following:

• Privacy Policy - Provide the URL to your app’s Privacy Policy that must comply with applicable laws and regulations and that clarify how you collect, use, share, retain and otherwise process personal information (Learn More)

• Terms of Use - Provide the URL for your app’s Terms of Use agreement (Learn More)

• Support - This should at the very least include an email to get in contact with your team for support (Learn More). Ideally, this would include more. Zoom suggests to include a combination of the following:

  • Link to create a support case
  • Link to email support
  • Link to your knowledge bases or forums
  • Link to your Zoom IM - Live Customer Support Channel (if available)
  • Support Phone Number (if available)
  • Description of what customers can expect when engaging your support team, such as:
    • Hours of Your Support Team (if not follow-the-sun)
    • 1st Response SLA (Maximum time a customer should expect to wait until they receive their 1st HUMAN response from your Customer Support Team)

• Documentation - Your documentation page should clearly demonstrate how to use your product, as well as how to get started with it and remove it from their Zoom account (Detailed Instructions for Documentation Pages). This page must include:

  • Usage: The usage page should clearly demonstrate how a user actually interacts with your application and it should highlight how a user uses your product to send a bot to a Zoom call (e.g. how to record meetings, see recordings, other app features). For instance, if you app allows users to send bots to meetings by providing a meeting URL, you should include information on where and how they would do this.
  • Installation: How to install your app and get started
    • If you're not using the Zoom OAuth integration, this can simply be "No installation is required."
    • If you are using the Zoom OAuth integration, this should be a few bullet points walking through where and how your user can grant OAuth permissions to your application.
  • Uninstallation: How to remove your app and revoke permissions
    • If you're not using the Zoom OAuth integration, this can simply be "No installation is required."
    • If you are using the Zoom OAuth integration, should be instructions on how to deauthorize your app
      • Since all Zoom apps are removed the same way, this is typically something like:
        1. Login to your Zoom Account and navigate to the Zoom App Marketplace
        2. Click Manage > Installed Apps, or search for the {YOUR_APP_NAME} app.
        3. Click on the {YOUR_APP_NAME} app.
        4. Click uninstall.
           Note: If you're using the Calendar integration, this should include instructions on how to disconnect your calendar.

• Configure URL - Provide a URL link to the page in your app where a user can manage their Zoom integration

• Deauthorization Notification Endpoint URL - When a user removes your app, Zoom will send a webhook event to this URL to notify you that the user has removed your app.

  • If you're not using the Zoom OAuth integration, this can simply be your apps home page
  • If you are using the Zoom OAuth integration, this should put the same Recall webhook URL you used when setting up the Recall Zoom OAuth integration: https://us-east-1.recall.ai/api/v2/zoom-oauth-apps/{RECALL_ZOOM_OAUTH_APP_ID}/webhook where RECALL_ZOOM_OAUTH_APP_ID is the ID of your Zoom OAuth App in Recall.

Step 4: Update the Technical Design

Now, Zoom needs information about how you built your app and if you're compliant. Go to the "Technical Design" tab in the sidebar. From there you should end up in the Overview tab

Here there are three tabs which you will need to fill out:

Overview

• Technology Stack - The majority of your response to this question should be dependent on the rest of your application. You can include the sentence "We use the Recall.ai meeting bot service to capture audio and video data from meetings." to describe your usage of Recall.ai
• Architecture Diagram - You should provide an architecture diagram showing Recall.ai as an external API. Here is the architecture diagram of the Recall.ai service to attach to your diagram as an appendix if necessary.
• Application Development - These questions are not related to the Recall.ai service. Don't worry if you answer "No" to questions 1-3 in the Application Development section - Zoom will not reject your Production app based on these answers and are only required for beta submissions

📘

Submitting your Zoom app for beta

If submitting your app for beta, all of questions 1-3 in Application Development must be marked yes and you must upload proof. If you do not submit proof, your app will be rejected for beta. See here for more info

Security

• Question 1 - Recall.ai's service meets these standards. You should answer "Yes" if the other parts of your service meet this standard, and "No" if they do not.
• Question 2 - Answer "Yes" if you are using the Recall Zoom OAuth integration. If you are handling the webhooks yourself, answer "Yes" or "No" depending on your specific implementation.
• Question 3: - Answer "Yes" if you are using the Recall Zoom OAuth integration. If you are handling this integration yourself, answer "Yes" or "No" depending on your specific implementation.

If you are using the Recall Zoom OAuth integration, you can answer as follows: "My application uses Recall.ai to capture data from the Zoom meeting. Metadata captured by Recall.ai, including Zoom OAuth tokens, is encrypted at rest using AWS RDS database encryption. Media such as audio and video is encrypted at rest using AWS S3 bucket encryption. Recall.ai retains the data for only 7 days before permanently deleting it."

Also include details on how your application handles user data after it's ingested into your systems

Privacy

• Question 1 - Recall.ai does not require recording or chat scopes, so you may answer with the following:
  • "We do not use any Recording or Chat scopes in our application."
• Question 2-7 - Recall.ai's service does not do any of these things. Answer "Yes" or "No" depending on the other parts of your app.
• Question 8 - Recall.ai's is considered a "fourth party". You should check "Yes". A text box will appear, asking for more detail. A example answer would be the following:
  • "We disclose data to Recall.ai, which is a meeting bot API we use to capture data from meetings. Our contract with Recall.ai limits their use, maintenance, and disclose of such data to the language in our privacy statement."
• Question 9-10 - Recall.ai's service does not do any of these things. Answer "Yes" or "No" depending on the other parts of your app.
• Question 11 - The Recall.ai service does not mandate any retention, as you can delete any captured data immediately using the Delete Bot Media endpoint. Answer depending on the retention the rest of your application requires.
• Question 12-16 - Your usage of the Recall.ai service does not affect any of these answers.

Step 5: App Submission Test Plan

Finally, head to the "App Submission" tab in the sidebar

Once there, there's a textarea called "Release Notes" where you need to explain to the reviewer how to test your app

❗️

Release Notes is a critical step

To minimize any ambiguity and ensure your first app submission is successful, record a Loom of yourself walking through your app (from login/account creation to end) and paste the loom link in the Release Notes field

The reviewer will watch your loom and reproduce the exact steps to test your app

Zoom is looking to verify a few things when conducting the test:

• All requested scopes are actually being used
• The bot that joins the call is using the correct set of SDK credentials

If you are not using Zoom OAuth, your test plan Loom recording should include:

• Instructions on how to log in to your app using test credentials provided by you
• Instructions on how to send the bot to a call
  • Point out that the bot sends a recording permission request dialog to the host, and only starts recording once it's been granted permission by the host
  • Point out that the bot displays the recording consent notification once it starts recording
  • Point out that the Zoom Active Apps Notifier shows that your SDK app is currently active in the call

If you are using Zoom OAuth, your test plan Loom recording should include:

• Instructions on how to log in to the application using the test credentials provided
• Instructions on how to connect your Zoom account via OAuth
  • Explain that the requested credentials are used to keep track of which meetings belong to the user, so that a "Join token for local recording" can be retrieved from the Zoom API when a bot is sent to the call
• Instructions on how to send the bot to a call
  • Point out that the bot automatically has recording permission because the bot was able to get a "Join token for local recording" using the scopes requested earlier
  • Point out that the bot displays the recording consent notification once it starts recording
  • Point out that the Zoom Active Apps Notifier shows that your SDK app is currently active in the call

After you add your Loom walkthrough, submit the app and you should wait for a Zoom app reviewer to get back to you (this usually takes 5-7 business days)

📘

Important notes before submission

First time submissions

• You must submit your Zoom app using your Zoom's production credentials
  • To do this, you should have a Recall workspace dedicated for production. If you need a new workspace, reach out to support and we can set one up for you
  • In your Recall production workspace, add your Zoom production credentials and when you submit your app to zoom, make sure you're using your Recall production workspace's API key
• App reviews take about 2-3 weeks before getting approved

Making edits to already approved submissions

• You must submit your Zoom app using your Zoom's development credentials
  • In your Recall development workspace, add your Zoom development credentials and when you submit your app to zoom, make sure you're using your Recall development workspace's API key

Post Submission

Zoom SDK OAuth Compliance Review Document

You will receive a document over Google Docs titled "Zoom SDK OAuth Compliance Review", asking questions about how the Zoom SDK is being used.

Because this is all handled by Recall, the following are our recommended responses:

https://docs.google.com/document/d/1ZAf9vEt3AqxaO7n2kM3tJQGI1599YSNvd14xFA3vAsU/edit?usp=sharing

FAQs

How long does the Zoom SDK Application review take?

It typically takes 2-3 weeks.

Is a pentest required for the zoom app review

No, it is not required. However, in Zoom's words, if you don’t have a third party pentest:

It would be helpful to provide the Zoom review team with additional documents that demonstrate that you developed your application with security in mind.
This can be in the form of an SSDLC, security/privacy policy for your users, an incident response plan, dependency management policy etc. For an SSDLC, it is typically a written document (can be as short as a page, as long as it’s comprehensive) that outlines the security design of your app from requirements, through development, to production.

When we go through the Zoom SDK Key publishing process, does this mean our app will be listed on the Zoom Marketplace?

Yes. Your Zoom SDK app will be listed on the Zoom Marketplace. If you don't want the SDK app to be publicly listed, you can mention in the Zoom publishing review notes that you don't want your app to be listed.

OAuth - My app is already approved but I want to add OAuth scopes. Do I resubmit my current app or create a new one?

You can re-submit your current app after adding the necessary scopes. Your app will continue to work as-expected in production until your new submission is approved.

Why was my app rejected?

If your app was rejected for any reason, the Zoom app reviewer will provide information detailing why it was rejected. You can find this information in the App Notes as shown below.

The Zoom reviewer is wondering why I need the user:read scope. How do I explain this?

If you're using the OAuth integration, a Zoom app reviewer might ask why you need the user:read scope.

We suggest responding with the following:

Our application uses OAuth integration to provide a seamless recording experience for users. Since personal meeting ID's are commonly used to host meetings by our users, and we'd like to provide the benefits of OAuth permissions for all of their meetings (including meetings hosted using their PMI), our application need the user:read scope to fetch users' personal meeting IDs from Zoom's Get User endpoint so we can provide OAuth tokens accordingly.

Without this scope, we can't provide these tokens for Personal Meeting ID's, which would prevent our users from leveraging OAuth functionality for these meetings.

Why can't my users install my Zoom App?

Some Zoom workspaces require administrators to approve apps before they can be downloaded to the workspace. If your users are seeing a message like "Unable to install this app because it needs pre-approval by your account admin", they'll need to request pre-approval from their Zoom administrator.

This can be done by searching your app on the Zoom Marketplace. On the application page, the user will see an option to request pre-approval from their Zoom admin. Once they request approval, the admin will receive an email from [email protected] with details on how to approve your application. After it's approved, the user will be able to install the Zoom app.

How to get Zoom production credentials