Server-to-Server OAuth
Use server-to-server OAuth account credentials to authenticate with Zoom when making API requests. This is also known as two-legged OAuth as it uses a two step process flow that does not require user interaction for authentication or authorization. Here's the flow.
- Your server-to-server OAuth client requests an access token from the Zoom authorization server.
- Your client uses the access token to make API requests or modify resources.
Here are the steps.
Prerequisites
Get app credentials
App credentials are the client credentials, including the account ID, client ID, and client secret, which Zoom provides to app developers to access the Zoom platform. Get your app credentials on your app details page on the Zoom App Marketplace.
Generate access token
Use the account_credentials grant type to generate an access token. The features of this grant type are:
- The token is the owner's access token.
- The token's time to live is one hour (3600 seconds).
- There is no refresh token.
- You can generate and use multiple access tokens.
- Tokens stop working when the app is deactivated.
- Server-to-Server OAuth apps can be deleted.
- Account administrators authorize the scopes available to developers building these app types.
To generate an access token
Follow these steps once you've gotten your app credentials (your account ID, client ID, and client secret).
-
Encode the client ID and client secret in base64 format (with a colon between them, e.g.
client_id:client_secret).For example, on your local system, open a terminal and run the command:
echo -n client_id:client_secret | base64 -
Set up your API request header and include your encoded client ID and client secret using the 'Basic' HTTP Authentication Scheme (replace
HHHHH0000011111with your encoded credentials).{ "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic HHHHH0000011111" } -
Set up the body of the access token request using the
account_credentialsgrant_typeand youraccount_id(replace1234with your account ID).{ "grant_type": "account_credentials", "account_id": 1234 } -
Send the header and body as a POST request to the token API at
https://zoom.us/oauth/tokento get an access token. -
The successful response will be the access token, a Bearer token type that expires in an hour, with the scopes that you chose in your app settings screen.
Key Value access_tokenYour access token. token_typeThe token type ( bearer)expires_inExpires in one hour ( 3600seconds).scopeThe scopes that you chose in your app settings page on the Zoom App Marketplace. api_urlThe cluster URL the backend services can connect to. Here's an example.
{ "access_token": "<JWT_TOKEN>", "token_type": "bearer", "expires_in": 3599, "scope": "user:read:admin", "api_url": "https://api.zoom.us" }
Code samples
See the following samples on Github, code samples using curl and PowerShell, and Postman request for examples. See the previous step for an example of a successful response.
Samples on Github
Terminal command line curl method
Syntax:
curl -X POST https://zoom.us/oauth/token -d 'grant_type=account_credentials' -d 'account_id={accountID}' -H 'Host: zoom.us' -H 'Authorization: Basic Base64Encoded(clientId:clientSecret)'
Example:
curl -X POST https://zoom.us/oauth/token -d 'grant_type=account_credentials' -d 'account_id=5yiPLwmTTpQVBnMxOlf32q' -H 'Host: zoom.us' -H 'Authorization: Basic aGwbwxOgK6eGHEO0W1DOCv5WCODeVxoet7DFEON7bR23gP5qEW7cmeWCbCEO3ApBEWlRwCVpDWB=='
PowerShell
Note that the following syntax and example shows the Powershell widget version installed on macOS. Windows users may need to add the -UseBasicParsing tagline within the request.
Syntax:
Invoke-WebRequest -Method POST -Uri https://zoom.us/oauth/token -ContentType 'application/x-www-form-urlencoded' -Body @{ grant_type='account_credentials'; account_id='ACCOUNT_ID' } -Headers @{ Host='zoom.us'; Authorization='Basic BASE64ENCODED_CLIENTID:CLIENTSECRET' }
Example:
Invoke-WebRequest -Method POST -Uri https://zoom.us/oauth/token -ContentType 'application/x-www-form-urlencoded' -Body @{ grant_type='account_credentials'; account_id='5yiPLwmTTpQVBnMxOlf32q' } -Headers @{ Host='zoom.us'; Authorization='Basic aGwbwxOgK6eGHEO0W1DOCv5WCODeVxoet7DFEON7bR23gP5qEW7cmeWCbCEO3ApBEWlRwCVpDWB==' }
Postman
See Zoom's Postman Public Workspace for details.
Syntax:
POST https://zoom.us/oauth/token?grant_type=account_credentials&account_id={accountId}
HTTP/1.1
Host: zoom.us
Authorization: Basic Base64Encoder(clientId:clientSecret)
Get a new access token
There are no refresh tokens for this grant type. To get a new access token, your app should call the /oauth/token endpoint again with the account_credentials grant. Follow the steps to generate a new access token.
Make API requests
Use OAuth 2.0 to make API requests to Zoom endpoints. For example, follow the steps below to get information about your Zoom account.
- Send the access token in the Authorization header as a Bearer token (replace
ABCDE12345with your access token).
{
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Bearer ABCDE12345"
}
-
Send a GET request with this header to
https://api.zoom.us/v2/users/me(Get a user) to get details about your Zoom account. -
Receive response. If successful, you'll receive details about your account.
{
"id": "ZXY333",
"first_name": "Joe",
"last_name": "Chill",
"display_name": "Joe Chill",
"email": "jchill@example.com",
"type": 1
// ...
}
See Using Zoom APIs: API requests for more information about making requests to Zoom APIs.
Access token best practices
You can generate multiple access tokens for a server-to-server OAuth app without invalidating the previous tokens. Each token will expire an hour after creation. With that in mind, here are some best practices:
- Create a unique server-to-server OAuth app for each service to best monitor permissions, usage, and logs.
- App owners should only have permissions necessary for required scopes.
- Request only the scopes required for a single app or integration.
- Share access tokens within a single app rather than across multiple apps.
- Monitor call logs on a per-app basis.