DEV Community

Elisa Levet for Zoom

Posted on • Edited on

JWT app vs Server to Server OAuth app

With the Deprecation of the JWT app from the Marketplace next year, we have been encouraging developers to start migrating from their JWT app to the Server-to-Server OAuth app, which provides more granular scoping options for internal apps that retrieve data from our endpoints.

Now, what are the differences between JWT apps and Server-to-Server OAuth apps?

  1. Internal JWT apps, created by account admins, have wide scope access.
  2. Server-to-server OAuth allows individual users to create apps with scoped access to APIs which reflect the access they already have.
  3. JWT apps rely on token generation using account credentials (API key and API secret)
  4. Server-to-Server OAuth apps rely on requesting an access token to the Zoom OAuth endpoint using account credentials (Account ID, Client ID and Client Secret).
  5. Access tokens generated with Server-to-Server OAuth app are *only valid for one hour *(a new one must be requested once they expired).

It is important to make emphasis on the fact that the only thing that changes with this migration is the way we are requesting an access token and making the API call will remain the same.

But how can you enable the Sever-to-Server OAuth app and how can you make sure that specific permissions are reflected on the app itself?

Once the app is enabled in the account (refer to this post if needed https://dev.to/zoom/why-use-server-to-server-oauth-1n53), it is important to define which permissions you want to grant to the developers that will have access to this type app, because the developer will only see the scopes that they can authorized.

For example, let’s say that you do not want your developer to have access to the Dashboard, so you have to make sure that in the Roles setting for that developer those features are disabled:
(ADMIN > User Management > Roles > Edit)

Dashboard permissions

What this will ensure is that Dashboard scopes wont be visible or available in the developer’s Server-to-Server app

Available scopes

Available scopes

Here are some code snippets that demonstrate the generation of access token using JWT apps and the request of access token using Server-to-Server OAuth app:

Using JWT app credentials to generate an Access token, then use it to make an API call to our Get Users endpoint

Generation of access token with JWT credentials

Using Server-to-Server OAuth app credentials to request an access token to the Zoom OAuth endpoint, then use it to make an API call to the same Get Users endpoint

Requesting an access token to Zoom OAuth endpoint

It is important to note that once your access token expires, you just need to make the same request to the Zoom OAuth endpoint to generate a new one (there is no refresh token involved); but the generation of a new token,** invalidates the previous one **(even if it was not expired).

Thank you so much for reading me and happy coding!

Top comments (0)