Zoom App Setup
Create and configure a Zoom app for use with Meeting BaaS, including Marketplace approval
Setting Up a Zoom App
This guide walks through creating a Zoom app on the Zoom App Marketplace. You will use this app to either:
- Use SDK credentials for internal meetings (no OBF tokens needed)
- Implement OAuth for OBF tokens when joining external meetings
Prerequisites
- A Zoom account (free or paid works)
- Access to the Zoom App Marketplace
Creating Your Zoom App
Go to the Zoom App Marketplace
Navigate to marketplace.zoom.us and sign in. Click Develop in the top navigation, then Build App.
Select General App
Choose General App as the app type. This is the unified app type that supports both OAuth and Meeting SDK.
Give your app a descriptive name (e.g., "Acme Recording Bot").
Configure Basic Information
Fill out the Basic Information section:
| Field | Description |
|---|---|
| App Name | Your app's display name |
| Short Description | Brief description of what your app does |
| Long Description | Detailed description (required for Marketplace listing) |
| Company Name | Your organization name |
| Developer Name | Primary contact name |
| Developer Email | Primary contact email |
OAuth Redirect URL: Enter the URL where you will handle OAuth callbacks. If you are only using SDK credentials without OAuth, you can set this to your app's home page (e.g., https://yourapp.com/dashboard).
Enable Meeting SDK
Navigate to Features → Embed in the sidebar.
Toggle Meeting SDK to On.
This enables your app to join meetings using the Zoom Meeting SDK.
Configure Scopes
Navigate to Scopes in the sidebar.
Default scope: When you enable Meeting SDK, Zoom automatically adds user:read:zak. This is required by the Meeting SDK toggle.
Additional scopes: Depending on your integration, you may need to add more scopes. Use this matrix to determine what you need:
| Integration Type | user:read:zak | user:read:token | user:read:user |
|---|---|---|---|
| SDK credentials only (internal meetings) | ✓ Auto-added | Not needed | Not needed |
| OBF: Direct token (you fetch tokens yourself) | ✓ Auto-added | You add to your app | You add to your app |
| OBF: Token URL (you host an endpoint) | ✓ Auto-added | You add to your app | You add to your app |
| OBF: Managed OAuth (Meeting BaaS stores tokens) | ✓ Auto-added | ✓ Required | ✓ Required |
Which integration type should I use?
- Internal meetings only: Use SDK credentials. No additional scopes needed.
- External meetings, you manage OAuth: Use Direct token or Token URL. Add scopes to your Zoom app.
- External meetings, we manage OAuth: Use Managed OAuth. Add both
user:read:tokenanduser:read:user.
See OBF Token Support for details on each option.
To add scopes, click Add Scopes, search for the scope name, and add it.
Get Your Credentials
OAuth credentials (for OBF tokens):
Navigate to Basic Information to find:
- Client ID — Used in OAuth authorization URL
- Client Secret — Used when exchanging authorization codes
SDK credentials (for internal meetings and AAN attribution):
Navigate to Features → Embed → Meeting SDK section to find:
- SDK Key (Client ID) — Use as
zoom_sdk_id - SDK Secret — Use as
zoom_sdk_pwd
See Zoom's guide: Get Meeting SDK Credentials
Active Apps Notifier (AAN) Attribution
When a bot joins a Zoom meeting using the Meeting SDK, Zoom displays the app name in the Active Apps Notifier (AAN) — a notice visible to all meeting participants showing which apps are accessing meeting content. The app name shown is determined by the SDK credentials used to initialize the session.
Zoom Marketplace Requirement: During Marketplace review, Zoom requires the AAN to display your app name. If the AAN shows a different app name (e.g., "Meeting Baas" instead of your product name), the reviewer may flag this. See Zoom's AAN documentation for details.
How It Works
The AAN displays the app name associated with whichever SDK credentials are used for the session:
- With your SDK credentials (
zoom_sdk_id/zoom_sdk_pwd): The AAN shows your app name - Without SDK credentials: The bot falls back to Meeting BaaS's default SDK credentials, and the AAN shows "Meeting Baas"
Using SDK Credentials with OBF Tokens
If your bots join external meetings (requiring OBF tokens), you should also pass your SDK credentials to ensure correct AAN attribution. The SDK credentials and OBF tokens serve different purposes:
- SDK credentials → Control the AAN app name (your app identity)
- OBF tokens → Authorize the bot to join on behalf of a specific user
You can combine them in the same bot request:
{
"meeting_url": "https://zoom.us/j/123456789",
"bot_name": "Recording Bot",
"zoom_sdk_id": "YOUR_SDK_KEY",
"zoom_sdk_pwd": "YOUR_SDK_SECRET",
"zoom_obf_token_url": "https://your-api.com/zoom/obf-token"
}This works with any of the three OBF options (zoom_obf_token, zoom_obf_token_url, or zoom_obf_token_user_id).
v2 API users: In v2, you can store your SDK credentials once using the Credentials API instead of passing them with every request. See v2 Zoom Credentials for details.
Learn more: Zoom AAN Documentation | Get Meeting SDK Credentials
Using SDK Credentials
If your bots only join meetings within your own Zoom organization, pass SDK credentials when creating bots:
curl -X POST "https://api.meetingbaas.com/bots" \
-H "Content-Type: application/json" \
-H "x-meeting-baas-api-key: YOUR-API-KEY" \
-d '{
"meeting_url": "https://zoom.us/j/123456789",
"bot_name": "Recording Bot",
"zoom_sdk_id": "YOUR_SDK_KEY",
"zoom_sdk_pwd": "YOUR_SDK_SECRET"
}'import requests
response = requests.post(
"https://api.meetingbaas.com/bots",
headers={
"Content-Type": "application/json",
"x-meeting-baas-api-key": "YOUR-API-KEY",
},
json={
"meeting_url": "https://zoom.us/j/123456789",
"bot_name": "Recording Bot",
"zoom_sdk_id": "YOUR_SDK_KEY",
"zoom_sdk_pwd": "YOUR_SDK_SECRET"
}
)
print(response.json())const response = await fetch("https://api.meetingbaas.com/bots", {
method: "POST",
headers: {
"Content-Type": "application/json",
"x-meeting-baas-api-key": "YOUR-API-KEY",
},
body: JSON.stringify({
meeting_url: "https://zoom.us/j/123456789",
bot_name: "Recording Bot",
zoom_sdk_id: "YOUR_SDK_KEY",
zoom_sdk_pwd: "YOUR_SDK_SECRET",
}),
});
console.log(await response.json());SDK credentials only work for meetings within your Zoom account. For external meetings, you need OBF tokens. See OBF Token Support.
Advanced: ZAK Token URL
If you need the bot to join as a specific Zoom user (not just as an anonymous participant), you can provide a ZAK (Zoom Access Key) token via the zoom_access_token_url parameter.
{
"meeting_url": "https://zoom.us/j/123456789",
"bot_name": "Recording Bot",
"zoom_access_token_url": "https://your-api.com/zoom/zak-token"
}When the bot calls your endpoint, it appends bot_uuid and extra as query parameters (same as with OBF token URLs). This lets you identify which ZAK token to return:
GET https://your-api.com/zoom/zak-token?bot_uuid=abc-123&extra={"user_id":"usr_456"}Your endpoint should return the raw ZAK token as plain text (not JSON).
ZAK tokens are different from OBF tokens. ZAK tokens let the bot join as a specific user. OBF tokens let the bot join on behalf of a user (as an assistant). For most recording use cases, OBF tokens are the right choice.
Submitting for Marketplace Approval
Your app does not need to be listed on the Zoom Marketplace for Meeting BaaS to work. However, approval is required if:
- You want a public listing for users to discover your app
- You want the "approved" badge for trust
- You are using OAuth and want external users to authorize your app
App Listing Section
Fill out the App Listing section:
| Field | What to Enter |
|---|---|
| Category | Choose the most relevant category (e.g., "Productivity") |
| Screenshots | At least 3 screenshots showing your app in action |
| Icon | 256x256 PNG with transparent background |
| Banner | 1280x640 PNG for the listing header |
| Support URL | Link to your support/help page |
| Privacy Policy URL | Link to your privacy policy |
| Terms of Use URL | Link to your terms of service |
Technical Design Section
Zoom requires details about your app's architecture. Here is what to include:
Technology Stack:
You can keep this high-level. Example:
Frontend: React, TailwindCSS
Backend: Python/Node.js
Auth: OAuth 2.0 (your provider)
Database: PostgreSQL
Hosting: AWS/GCP/Azure
Zoom Integration: Zoom Meeting SDK via Meeting BaaS APIArchitecture Diagram:
Include a simple diagram showing:
- Your application
- Meeting BaaS API
- Zoom SDK integration
This does not need to be complex. A basic flow diagram works.
Application Development Section
| Question | Answer | Hint |
|---|---|---|
| Do you have a SSDLC? | Yes | Describe your secure development practices: code reviews, secrets management, dependency scanning, etc. Even informal practices count. |
| Does your app undergo SAST? | Yes (recommended) | Mention static analysis tools you use (CodeQL, Snyk, SonarQube, etc.). If you use GitHub, CodeQL is free and easy to set up. |
| Does your app undergo DAST? | Optional | Dynamic application security testing. Answer based on your practices. Not required for basic approval. |
| Third-party security testing? | Optional | Penetration testing or security audits. Not required but helps if you have them. |
Small teams: You do not need enterprise-grade security tooling. Basic practices like code reviews, dependency updates, and using a static analysis tool (even free ones like CodeQL) are sufficient for approval.
If you have security certifications (SOC 2, ISO 27001), upload them. They are not required but help with approval.
Security Section
| Question | Answer | Hint |
|---|---|---|
| Does your app use TLS 1.2 or above? | Yes | Meeting BaaS uses TLS 1.2+. If you have your own backend, ensure it also uses TLS 1.2+. |
| Does your app use verification/secret tokens? | No (if Meeting BaaS only) | If you are only using this app with Meeting BaaS, select No. We do not use Zoom webhooks. If you have your own Zoom webhook integration, select Yes and describe your verification approach. |
| Does your app collect, store, or log user data? | Depends | If using Meeting BaaS only: We store meeting recordings and transcripts on your behalf. If you have additional data collection, describe it honestly. |
Meeting BaaS users: For most security questions, you can reference that your Zoom integration uses Meeting BaaS, which handles the SDK integration securely. You are responsible for your own application's security practices.
Privacy Section
| Question | Answer | Hint |
|---|---|---|
| Does your app collect info from users under 16? | No | Unless your app specifically targets minors, answer No. Include age restrictions in your Terms of Service. |
| Is your app intended for education, healthcare, or government? | Depends | Answer based on your target market. If yes, you may need additional compliance documentation (FERPA, HIPAA, etc.). |
| Does your app share data with third parties? | Depends | If using Meeting BaaS: Yes, we use Meeting BaaS for recording infrastructure. Describe this in your privacy policy. |
Provide excerpts from your privacy policy covering:
- What data you collect
- How you use the data
- User data access rights
- How users can exercise those rights
Privacy policy tip: If you use Meeting BaaS, mention that recordings are processed by a third-party service (Meeting BaaS) and link to our privacy policy. Example: "Meeting recordings are processed by Meeting BaaS. See their privacy policy at meetingbaas.com/privacy."
Submitting for Review
Verify Your Domain
Zoom requires domain verification. Follow the instructions in the Domain Verification section.
Provide Test Credentials
Create a test account that Zoom reviewers can use to test your app. Include:
- Login credentials
- Any setup instructions
- Sample meeting URLs they can test with
Submit
Click Submit to enter the review queue.
Review Process
Usability Review:
- A Zoom reviewer logs into your app using the test credentials
- They test the meeting recording/transcription flow
- If issues are found, you will receive a "more information required" request
Security Review:
- Zoom tests for common vulnerabilities
- They may use tools like Burp Suite to check for issues
- Ensure server-side validation for all sensitive operations
Timeline: Expect 1-2 weeks for review. You can request expedited review for urgent cases.
Tip: If you receive a "more information required" request, ask for a call. A 30-minute meeting with the reviewer often resolves issues faster than back-and-forth emails.
Scopes Reference
| Scope | Purpose | When Needed |
|---|---|---|
user:read:zak | ZAK token access | Auto-added when you enable Meeting SDK. Required for the SDK to function. |
user:read:token | OBF token access | Required for fetching OBF tokens. Add this for external meetings. |
user:read:user | User profile information | Required for managed OAuth. We use this to get the zoom_user_id when creating connections. |
For Meeting BaaS users:
- SDK credentials only: No additional scopes needed beyond the auto-added
user:read:zak - OBF tokens (managed OAuth): Add both
user:read:tokenanduser:read:user - Existing Zoom app: If you already have a Zoom app with other scopes, you can reuse it. Just enable Meeting SDK and add any missing scopes.
Troubleshooting
SDK Authentication Failed
If you receive ZOOM_SDK_AUTH_FAILED:
- Verify SDK Key and Secret are correct
- Ensure Meeting SDK is enabled in your app
- Check that your app is activated (not in draft status)
- Confirm you are using the SDK credentials, not OAuth credentials
OAuth Token Exchange Failed
If the authorization code exchange fails:
- Verify the redirect URI matches exactly (including trailing slashes)
- Check that the authorization code has not expired (~10 minutes)
- Ensure all required scopes are added to your app
- Verify Client ID and Secret are correct
App Rejected During Review
Common rejection reasons:
- Missing or broken test credentials
- Privacy policy does not cover required topics
- Security vulnerabilities found (check for XSS, CSRF, etc.)
- Screenshots do not match actual app functionality
Next Steps
- OBF Token Support — If joining external meetings
- Building OAuth Consent Flow — Implementing user authorization
- Sending a Bot — Basic bot creation
