FAQ

Zoom SDK App Review FAQ

How long does the Zoom SDK Application review take?

It typically takes 2-3 weeks.

Is a pentest required for the zoom app review

No, it is not required. However, in Zoom's words, if you don’t have a third party pentest:

It would be helpful to provide the Zoom review team with additional documents that demonstrate that you developed your application with security in mind.
This can be in the form of an SSDLC, security/privacy policy for your users, an incident response plan, dependency management policy etc. For an SSDLC, it is typically a written document (can be as short as a page, as long as it’s comprehensive) that outlines the security design of your app from requirements, through development, to production.

When we go through the Zoom SDK Key publishing process, does this mean our app will be listed on the Zoom Marketplace?

Yes. Your Zoom SDK app will be listed on the Zoom Marketplace. If you don't want the SDK app to be publicly listed, you can mention in the Zoom publishing review notes that you don't want your app to be listed.

OAuth - My app is already approved but I want to add OAuth scopes. Do I resubmit my current app or create a new one?

You can re-submit your current app after adding the necessary scopes. Your app will continue to work as-expected in production until your new submission is approved.

Why was my app rejected?

If your app was rejected for any reason, the Zoom app reviewer will provide information detailing why it was rejected. You can find this information in the App Notes as shown below.

App Notes will tell you exactly why your app was rejected, and how to resolve any issues before resubmitting.

App Notes will tell you exactly why your app was rejected, and how to resolve any issues before resubmitting.


The Zoom reviewer is wondering why I need the user:read scope. How do I explain this?

If you're using the OAuth integration, a Zoom app reviewer might ask why you need the user:read scope.

We suggest responding with the following:

Our application uses OAuth integration to provide a seamless recording experience for users. Since personal meeting ID's are commonly used to host meetings by our users, and we'd like to provide the benefits of OAuth permissions for all of their meetings (including meetings hosted using their PMI), our application need the user:read scope to fetch users' personal meeting IDs from Zoom's Get User endpoint so we can provide OAuth tokens accordingly.

Without this scope, we can't provide these tokens for Personal Meeting ID's, which would prevent our users from leveraging OAuth functionality for these meetings.

Why can't my users install my Zoom App?

Some Zoom workspaces require administrators to approve apps before they can be downloaded to the workspace. If your users are seeing a message like "Unable to install this app because it needs pre-approval by your account admin", they'll need to request pre-approval from their Zoom administrator.

This can be done by searching your app on the Zoom Marketplace. On the application page, the user will see an option to request pre-approval from their Zoom admin. Once they request approval, the admin will receive an email from [email protected] with details on how to approve your application. After it's approved, the user will be able to install the Zoom app.

The Zoom reviewer is asking for TestFlight or .apk files. What do I provide here?

Some applications have reported receiving the following message from Zoom during their application review:

We noticed you have enabled the Meeting SDK feature. Please provide all relevant information needed for us to test your integration, including TestFlight or .apk file links for mobile apps. If your app includes bot functionality, please provide instructions for testing those features. Additionally, ensure that all required Legal UI Notices are implemented in your app’s UI as outlined here: https://developers.zoom.us/docs/meeting-sdk/ui-notices/ We recommend updating your app to the latest SDK version. If your app requires specific hardware for testing, please include that information in your next submission so we can arrange a time to demo the application in a meeting.

This integration uses a meeting bot, so there are no TestFlight or .apk files that you need to provide here. There's also no specific hardware required for the Zoom team to test your application.

If you've followed our recommendations for submitting a Zoom application, then you should already have a Test Plan included in your application. If you do, then you can reference this test plan in your response and note that the integration does implement all of Zoom's required Legal UI Notices.