# Transitioning to On Behalf Of (OBF) tokens in Meeting SDK apps As part of Zoom's efforts to enhance user experience for meeting apps and strengthen user accountability and transparency, we’re introducing a new requirement for apps that join meetings outside their own account. We understand that changes to authorization and implementation take engineering effort and product decisions. We don't ask you to make these changes lightly. Furthermore, we see this as an important user expectation that builds trust in a world that increasingly expects AI apps in meetings. **Beginning March 2, 2026, apps joining meetings outside their account must be authorized. Meet this requirement by using either OBF or ZAK tokens, or RTMS** Learn more, [here](/docs/meeting-sdk/obf-faq/). **Note:** this is only required to join meetings outside the user's Zoom account. Meeting SDK apps that join meetings on a user's same account can (but are not required to) use the On Behalf Of token. SDK apps must now be attributed to the users who use them in meetings. This will require Meeting SDK apps to authorize either with the ZAK token (to join as the user) or through a new token, the OBF token to join as a user's assistant app will now need to join meetings on behalf of a user using a user's OBF token. The OBF token is a short-lived, single-use token _retrieved with a REST API_ and authorized with the user's OAuth access token. It allows third-party apps to join a meeting and associate to a specific user in the meeting's participant list. In this blog, we'll review different scenarios we see for apps on the App Marketplace and provide a course to implement the new token. ## How these changes affect your app Accessing a user's OBF token requires the `user:read:token` scope. Your app may require adding new scopes and prompting users to authorize if the scope needs to be added. Here are a few scenarios your app may be in given the scopes it uses today: | App type | Previous requirements | New requirements | Needs Marketplace review | | ---------------------------------------------------------------- | ---------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | | Meeting SDK apps using OAuth with the `user:read:token` scope | App could join meetings using only its SDK credentials. | Must request a user's OBF token using the existing `user:read:token` scope and pass it to the Meeting SDK. | No – scope already granted | | Meeting SDK apps using OAuth without the `user:read:token` scope | App could join meetings without needing additional user-level authorization. | Must add the `user:read:token` scope in the App Marketplace and reauthorize the app to receive the OBF token. | Yes – Add the new scope and submit a review request. | | Meeting SDK apps without user authorization | App joined meetings without any user association or OAuth flow. | Must implement OAuth user authorization, add the `user:read:token` scope, and request user authorization to obtain a user’s access token for joining on their behalf. | Yes – Add the new scope, submit a review request, and request user authorization. | **Marketplace Review Priority:** We encourage you to implement the required `user:read:token` scope as soon as possible in order to prioritize your app's review. **OAuth Implementation:** If your app does not yet implement user authorization (OAuth), you will need to add this flow. Implementing OAuth is the necessary first step to enable users to authorize the app in order to bring it with them into meetings. This allows users to best manage the permissions of the apps they use in their meetings. **Backend Service:** Your app will need a backend service that can securely call the REST API, handle user authorization, and manage refreshing of access tokens for each user. ## Request and use an OBF token 1. Request a user access token when the app is installed using the OAuth 2.0 flow. 2. Store and refresh the user's access token. 3. Use the user's access token to authorize a request for an OBF token via the REST API. ```http GET https://api.zoom.us/v2/users/me/token?type=onbehalf&meeting_id={meeting} ``` 4. Provide the retrieved OBF token when joining a meeting using the Meeting SDK. - Web SDK version 4.1.0. - [Linux SDK Reference - onBehalfToken](https://marketplacefront.zoom.us/sdk/meeting/linux/structtag_join_param4_without_login.html#aa3c0a12a7f76a735d1a6bf4aef227ead). - [Windows SDK - onBehalfToken](https://marketplacefront.zoom.us/sdk/meeting/windows/structtag_join_param4_without_login.html#aa3c0a12a7f76a735d1a6bf4aef227ead). 5. Refresh the user's access token when expired to maintain authorization. For a functional starting point, see [User-level OAuth starter app](https://github.com/zoom/user-level-oauth-starter) on GitHub. ## Handling Join Failures When your SDK application attempts to join a meeting and encounters a failure, you must implement the following retry logic: - **Failure Condition:** If the SDK app receives a join failure error, it indicates that the authorizing user has not yet entered the meeting - **Required Action:** Your app must automatically retry the join attempt after 1-5 second waiting period - **Error Handling:** Starting with SDK version 6.6.10 (released November 8, 2025), a specific error code will be available for this scenario: `MEETING_FAIL_AUTHORIZED_USER_NOT_INMEETING` ## Implement user level authorization (OAuth 2.0 ) Follow these steps to implement the OAuth 2.0 flow and authenticate your app with Zoom’s APIs. ### 1. Configure your app Find your app in the [Zoom App Marketplace](https://marketplace.zoom.us/), set the redirect URL, and add the required scopes. You’ll use these values to generate access tokens that authenticate your API requests. --- ### 2. Authorize your app You can [authorize your app](/docs/integrations/oauth/#app-type-general) in either of two ways. - **Option 1:** From the app’s Local Test page, click Add App Now. - **Option 2:** Open the authorization URL in your browser: ```shell https://zoom.us/oauth/authorize?response_type=code&client_id={client_id}&redirect_uri={redirect_uri} ``` **Note:** Replace `{client_id}` and `{redirect_uri}` with your app’s credentials. After the user authorizes, Zoom redirects to your redirect_uri with an authorization_code. --- ### 3. Exchange the authorization code for an access token Send a POST request to the Zoom token endpoint. ```http POST https://zoom.us/oauth/token?grant_type=authorization_code&code={authorization_code}&redirect_uri={redirect_uri} ``` Include your `client_id` and `client_secret` as a Basic Authorization header, Base64-encoded. ```http Authorization: Basic {BASE64_ENCODED_CLIENT_ID:CLIENT_SECRET} Content-Type: application/x-www-form-urlencoded ``` **Example request** ```shell curl --request POST \ --url "https://zoom.us/oauth/token?grant_type=authorization_code&code=Wk9PTV9BVVRIT1JJWkFUSU9OX0NPREU&redirect_uri=https://example.com" \ --header "Authorization: Basic Wk9PTV9DTElFTlRfSUQ6Wk9PTV9DTElFTlRfU0VDUkVU" ``` **Example response** If the previous example request is successful, you’ll receive a JSON response containing your tokens. ```json { "access_token": "eyJzdiI6IjAwMDAwMiIsImFsZyI6IkhTNTEyIiwidiI6IjIuMCIsImtpZCI6IlpPT01fS0lEIn0...", "token_type": "bearer", "refresh_token": "eyJzdiI6IjAwMDAwMiIsImFsZyI6IkhTNTEyIiwidiI6IjIuMCIsImtpZCI6IlpPT01fS0lEIn0...", "expires_in": 3600, "scope": "user:read:token,user:read:token:admin", "api_url": "https://api.zoom.us" } ``` **Note:** access tokens expire after one hour. Use the `refresh_token` to get a new access token without reauthorization. Once that’s done, you can generate access tokens to authenticate your API requests. --- ### 4. Get OBF Token Once you have an access token, you can start making authenticated API calls. ```shell curl --request GET \ --url "https://api.zoom.us/v2/users/{user_id}/token?type=onbehalf" \ --header "Authorization: Bearer {access_token}" \ --header "Content-Type: application/json" ``` Replace `{user_id}` and `{access_token}` with your actual values. --- ### 5. Submit and verify your app Once you have completed all the required testing and confirm all app details are correct, you need to [prepare your app for production](/docs/build-flow/prep-app-for-prod/) and [submit your app to Zoom for review](/docs/distribute/app-submission/submit-apps-review/). If you are developing an internal-only app that will only be used by users on your own Zoom account, then you don't need to submit your app to the Zoom Marketplace. ## Alternative option: Realtime Media Streams (RTMS) Additional options for attribution, improved user experience, and robust data access come with our purpose-built solution, [Realtime Media Streams](/docs/rtms/). This provides valuable [improvements to user experience with meeting assistants](/blog/improving-ux-rtms/) when paired with an embedded web app in the meeting. With RTMS, apps automatically join meetings alongside their users and provides your application to direct access to live audio, video and transcript streams from your Zoom meetings. Explore our developer blog post on [Announcing Realtime Media Streams](/blog/realtime-media-streams/). If you have remaining questions, check out the [FAQ](https://devforum.zoom.us/t/updates-to-meeting-sdk-authorization-faq/139269) for deeper guidance.