Zoom SDK App Review FAQ

How long does the Zoom SDK Application review take?

It typically takes 2-3 weeks.

Is a pentest required for the zoom app review

No, it is not required. However, in Zoom's words, if you donโ€™t have a third party pentest:

It would be helpful to provide the Zoom review team with additional documents that demonstrate that you developed your application with security in mind.
This can be in the form of an SSDLC, security/privacy policy for your users, an incident response plan, dependency management policy etc. For an SSDLC, it is typically a written document (can be as short as a page, as long as itโ€™s comprehensive) that outlines the security design of your app from requirements, through development, to production.

When we go through the Zoom SDK Key publishing process, does this mean our app will be listed on the Zoom Marketplace?

Yes. Your Zoom SDK app will be listed on the Zoom Marketplace. If you don't want the SDK app to be publicly listed, you can mention in the Zoom publishing review notes that you don't want your app to be listed.

OAuth - My app is already approved but I want to add OAuth scopes. Do I resubmit my current app or create a new one?

You can re-submit your current app after adding the necessary scopes. Your app will continue to work as-expected in production until your new submission is approved.

The Zoom reviewer is wondering why I need the user:read scope. How do I explain this?

If you're using the OAuth integration, a Zoom app reviewer might ask why you need the user:read scope.

We suggest responding with the following:

Our application uses OAuth integration to provide a seamless recording experience for users. Since personal meeting ID's are commonly used to host meetings by our users, and we'd like to provide the benefits of OAuth permissions for all of their meetings (including meetings hosted using their PMI), our application need the user:read scope to fetch users' personal meeting IDs from Zoom's Get User endpoint so we can provide OAuth tokens accordingly.

Without this scope, we can't provide these tokens for Personal Meeting ID's, which would prevent our users from leveraging OAuth functionality for these meetings.