Zoom App Setup

Create and configure a Zoom app for use with Meeting BaaS, including Marketplace approval

Setting Up a Zoom App

This guide walks through creating a Zoom app on the Zoom App Marketplace. You will use this app to either:

  • Use SDK credentials for internal meetings (no OBF tokens needed)
  • Implement OAuth for OBF tokens when joining external meetings

Prerequisites

Creating Your Zoom App

Go to the Zoom App Marketplace

Navigate to marketplace.zoom.us and sign in. Click Develop in the top navigation, then Build App.

Select General App

Choose General App as the app type. This is the unified app type that supports both OAuth and Meeting SDK.

Give your app a descriptive name (e.g., "Acme Recording Bot").

Configure Basic Information

Fill out the Basic Information section:

FieldDescription
App NameYour app's display name
Short DescriptionBrief description of what your app does
Long DescriptionDetailed description (required for Marketplace listing)
Company NameYour organization name
Developer NamePrimary contact name
Developer EmailPrimary contact email

OAuth Redirect URL: Enter the URL where you will handle OAuth callbacks. If you are only using SDK credentials without OAuth, you can set this to your app's home page (e.g., https://yourapp.com/dashboard).

Enable Meeting SDK

Navigate to FeaturesEmbed in the sidebar.

Toggle Meeting SDK to On.

This enables your app to join meetings using the Zoom Meeting SDK.

Configure Scopes

Navigate to Scopes in the sidebar.

Default scope: When you enable Meeting SDK, Zoom automatically adds user:read:zak. This is required by the Meeting SDK toggle.

Additional scopes: Depending on your integration, you may need to add more scopes. Use this matrix to determine what you need:

Integration Typeuser:read:zakuser:read:tokenuser:read:user
SDK credentials only (internal meetings)✓ Auto-addedNot neededNot needed
OBF: Direct token (you fetch tokens yourself)✓ Auto-addedYou add to your appYou add to your app
OBF: Token URL (you host an endpoint)✓ Auto-addedYou add to your appYou add to your app
OBF: Managed OAuth (Meeting BaaS stores tokens)✓ Auto-added✓ Required✓ Required

Which integration type should I use?

  • Internal meetings only: Use SDK credentials. No additional scopes needed.
  • External meetings, you manage OAuth: Use Direct token or Token URL. Add scopes to your Zoom app.
  • External meetings, we manage OAuth: Use Managed OAuth. Add both user:read:token and user:read:user.

See OBF Token Support for details on each option.

To add scopes, click Add Scopes, search for the scope name, and add it.

Get Your Credentials

OAuth credentials (for OBF tokens):

Navigate to Basic Information to find:

  • Client ID — Used in OAuth authorization URL
  • Client Secret — Used when exchanging authorization codes

SDK credentials (for internal meetings and AAN attribution):

Navigate to FeaturesEmbedMeeting SDK section to find:

  • SDK Key (Client ID) — Use as zoom_sdk_id
  • SDK Secret — Use as zoom_sdk_pwd

See Zoom's guide: Get Meeting SDK Credentials

Active Apps Notifier (AAN) Attribution

When a bot joins a Zoom meeting using the Meeting SDK, Zoom displays the app name in the Active Apps Notifier (AAN) — a notice visible to all meeting participants showing which apps are accessing meeting content. The app name shown is determined by the SDK credentials used to initialize the session.

Zoom Marketplace Requirement: During Marketplace review, Zoom requires the AAN to display your app name. If the AAN shows a different app name (e.g., "Meeting Baas" instead of your product name), the reviewer may flag this. See Zoom's AAN documentation for details.

How It Works

The AAN displays the app name associated with whichever SDK credentials are used for the session:

  • With your SDK credentials (zoom_sdk_id / zoom_sdk_pwd): The AAN shows your app name
  • Without SDK credentials: The bot falls back to Meeting BaaS's default SDK credentials, and the AAN shows "Meeting Baas"

Using SDK Credentials with OBF Tokens

If your bots join external meetings (requiring OBF tokens), you should also pass your SDK credentials to ensure correct AAN attribution. The SDK credentials and OBF tokens serve different purposes:

  • SDK credentials → Control the AAN app name (your app identity)
  • OBF tokens → Authorize the bot to join on behalf of a specific user

You can combine them in the same bot request:

{
  "meeting_url": "https://zoom.us/j/123456789",
  "bot_name": "Recording Bot",
  "zoom_sdk_id": "YOUR_SDK_KEY",
  "zoom_sdk_pwd": "YOUR_SDK_SECRET",
  "zoom_obf_token_url": "https://your-api.com/zoom/obf-token"
}

This works with any of the three OBF options (zoom_obf_token, zoom_obf_token_url, or zoom_obf_token_user_id).

v2 API users: In v2, you can store your SDK credentials once using the Credentials API instead of passing them with every request. See v2 Zoom Credentials for details.

Learn more: Zoom AAN Documentation | Get Meeting SDK Credentials

Using SDK Credentials

If your bots only join meetings within your own Zoom organization, pass SDK credentials when creating bots:

curl -X POST "https://api.meetingbaas.com/bots" \
     -H "Content-Type: application/json" \
     -H "x-meeting-baas-api-key: YOUR-API-KEY" \
     -d '{
           "meeting_url": "https://zoom.us/j/123456789",
           "bot_name": "Recording Bot",
           "zoom_sdk_id": "YOUR_SDK_KEY",
           "zoom_sdk_pwd": "YOUR_SDK_SECRET"
         }'
import requests

response = requests.post(
    "https://api.meetingbaas.com/bots",
    headers={
        "Content-Type": "application/json",
        "x-meeting-baas-api-key": "YOUR-API-KEY",
    },
    json={
        "meeting_url": "https://zoom.us/j/123456789",
        "bot_name": "Recording Bot",
        "zoom_sdk_id": "YOUR_SDK_KEY",
        "zoom_sdk_pwd": "YOUR_SDK_SECRET"
    }
)
print(response.json())
const response = await fetch("https://api.meetingbaas.com/bots", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "x-meeting-baas-api-key": "YOUR-API-KEY",
  },
  body: JSON.stringify({
    meeting_url: "https://zoom.us/j/123456789",
    bot_name: "Recording Bot",
    zoom_sdk_id: "YOUR_SDK_KEY",
    zoom_sdk_pwd: "YOUR_SDK_SECRET",
  }),
});
console.log(await response.json());

SDK credentials only work for meetings within your Zoom account. For external meetings, you need OBF tokens. See OBF Token Support.

Advanced: ZAK Token URL

If you need the bot to join as a specific Zoom user (not just as an anonymous participant), you can provide a ZAK (Zoom Access Key) token via the zoom_access_token_url parameter.

{
  "meeting_url": "https://zoom.us/j/123456789",
  "bot_name": "Recording Bot",
  "zoom_access_token_url": "https://your-api.com/zoom/zak-token"
}

When the bot calls your endpoint, it appends bot_uuid and extra as query parameters (same as with OBF token URLs). This lets you identify which ZAK token to return:

GET https://your-api.com/zoom/zak-token?bot_uuid=abc-123&extra={"user_id":"usr_456"}

Your endpoint should return the raw ZAK token as plain text (not JSON).

ZAK tokens are different from OBF tokens. ZAK tokens let the bot join as a specific user. OBF tokens let the bot join on behalf of a user (as an assistant). For most recording use cases, OBF tokens are the right choice.

Submitting for Marketplace Approval

Your app does not need to be listed on the Zoom Marketplace for Meeting BaaS to work. However, approval is required if:

  • You want a public listing for users to discover your app
  • You want the "approved" badge for trust
  • You are using OAuth and want external users to authorize your app

App Listing Section

Fill out the App Listing section:

FieldWhat to Enter
CategoryChoose the most relevant category (e.g., "Productivity")
ScreenshotsAt least 3 screenshots showing your app in action
Icon256x256 PNG with transparent background
Banner1280x640 PNG for the listing header
Support URLLink to your support/help page
Privacy Policy URLLink to your privacy policy
Terms of Use URLLink to your terms of service

Technical Design Section

Zoom requires details about your app's architecture. Here is what to include:

Technology Stack:

You can keep this high-level. Example:

Frontend: React, TailwindCSS
Backend: Python/Node.js
Auth: OAuth 2.0 (your provider)
Database: PostgreSQL
Hosting: AWS/GCP/Azure
Zoom Integration: Zoom Meeting SDK via Meeting BaaS API

Architecture Diagram:

Include a simple diagram showing:

  • Your application
  • Meeting BaaS API
  • Zoom SDK integration

This does not need to be complex. A basic flow diagram works.

Application Development Section

QuestionAnswerHint
Do you have a SSDLC?YesDescribe your secure development practices: code reviews, secrets management, dependency scanning, etc. Even informal practices count.
Does your app undergo SAST?Yes (recommended)Mention static analysis tools you use (CodeQL, Snyk, SonarQube, etc.). If you use GitHub, CodeQL is free and easy to set up.
Does your app undergo DAST?OptionalDynamic application security testing. Answer based on your practices. Not required for basic approval.
Third-party security testing?OptionalPenetration testing or security audits. Not required but helps if you have them.

Small teams: You do not need enterprise-grade security tooling. Basic practices like code reviews, dependency updates, and using a static analysis tool (even free ones like CodeQL) are sufficient for approval.

If you have security certifications (SOC 2, ISO 27001), upload them. They are not required but help with approval.

Security Section

QuestionAnswerHint
Does your app use TLS 1.2 or above?YesMeeting BaaS uses TLS 1.2+. If you have your own backend, ensure it also uses TLS 1.2+.
Does your app use verification/secret tokens?No (if Meeting BaaS only)If you are only using this app with Meeting BaaS, select No. We do not use Zoom webhooks. If you have your own Zoom webhook integration, select Yes and describe your verification approach.
Does your app collect, store, or log user data?DependsIf using Meeting BaaS only: We store meeting recordings and transcripts on your behalf. If you have additional data collection, describe it honestly.

Meeting BaaS users: For most security questions, you can reference that your Zoom integration uses Meeting BaaS, which handles the SDK integration securely. You are responsible for your own application's security practices.

Privacy Section

QuestionAnswerHint
Does your app collect info from users under 16?NoUnless your app specifically targets minors, answer No. Include age restrictions in your Terms of Service.
Is your app intended for education, healthcare, or government?DependsAnswer based on your target market. If yes, you may need additional compliance documentation (FERPA, HIPAA, etc.).
Does your app share data with third parties?DependsIf using Meeting BaaS: Yes, we use Meeting BaaS for recording infrastructure. Describe this in your privacy policy.

Provide excerpts from your privacy policy covering:

  • What data you collect
  • How you use the data
  • User data access rights
  • How users can exercise those rights

Privacy policy tip: If you use Meeting BaaS, mention that recordings are processed by a third-party service (Meeting BaaS) and link to our privacy policy. Example: "Meeting recordings are processed by Meeting BaaS. See their privacy policy at meetingbaas.com/privacy."

Submitting for Review

Verify Your Domain

Zoom requires domain verification. Follow the instructions in the Domain Verification section.

Provide Test Credentials

Create a test account that Zoom reviewers can use to test your app. Include:

  • Login credentials
  • Any setup instructions
  • Sample meeting URLs they can test with

Submit

Click Submit to enter the review queue.

Review Process

Usability Review:

  • A Zoom reviewer logs into your app using the test credentials
  • They test the meeting recording/transcription flow
  • If issues are found, you will receive a "more information required" request

Security Review:

  • Zoom tests for common vulnerabilities
  • They may use tools like Burp Suite to check for issues
  • Ensure server-side validation for all sensitive operations

Timeline: Expect 1-2 weeks for review. You can request expedited review for urgent cases.

Tip: If you receive a "more information required" request, ask for a call. A 30-minute meeting with the reviewer often resolves issues faster than back-and-forth emails.

Scopes Reference

ScopePurposeWhen Needed
user:read:zakZAK token accessAuto-added when you enable Meeting SDK. Required for the SDK to function.
user:read:tokenOBF token accessRequired for fetching OBF tokens. Add this for external meetings.
user:read:userUser profile informationRequired for managed OAuth. We use this to get the zoom_user_id when creating connections.

For Meeting BaaS users:

  • SDK credentials only: No additional scopes needed beyond the auto-added user:read:zak
  • OBF tokens (managed OAuth): Add both user:read:token and user:read:user
  • Existing Zoom app: If you already have a Zoom app with other scopes, you can reuse it. Just enable Meeting SDK and add any missing scopes.

Troubleshooting

SDK Authentication Failed

If you receive ZOOM_SDK_AUTH_FAILED:

  1. Verify SDK Key and Secret are correct
  2. Ensure Meeting SDK is enabled in your app
  3. Check that your app is activated (not in draft status)
  4. Confirm you are using the SDK credentials, not OAuth credentials

OAuth Token Exchange Failed

If the authorization code exchange fails:

  1. Verify the redirect URI matches exactly (including trailing slashes)
  2. Check that the authorization code has not expired (~10 minutes)
  3. Ensure all required scopes are added to your app
  4. Verify Client ID and Secret are correct

App Rejected During Review

Common rejection reasons:

  • Missing or broken test credentials
  • Privacy policy does not cover required topics
  • Security vulnerabilities found (check for XSS, CSRF, etc.)
  • Screenshots do not match actual app functionality

Next Steps

On this page