Get Started Fast with Zoom APIs

Refreshing an Access Token

Access tokens expire after one hour. Once expired, you will have to refresh a user's access token.

Take the refresh_token value you received from your POST request access token response and paste it in the refresh_token field in Body.

Navigate to the Auth tab and under Basic Auth and fill in the following:

* Username: [ClientID]
* Password: [ClientSecret]

Remember, you can always use the [collection variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token (already pre-populated in this request for you).

Here's an example request for a refresh token:

POST /oauth/token HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
refresh_token=[REFRESH TOKEN]&grant_type=refresh_token

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "access_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjE1ODAxNTA5OTQsInRva2VuVHlwZSI6ImFjY2Vzc190b2tlbiIsImlhdCI6MTU4MDE0NzM5NCwianRpIjoiPEpUST4iLCJ0b2xlcmFuY2VJZCI6MjZ9.5c58p0PflZJdlz4Y7PgMIVCrQpHDnbM565iCKlrtajZ5HHmy00P5FCcoMwHb9LxjsUgbJ7653EfdeX5NEm6RoA",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjIwNTMxODczOTQsInRva2VuVHlwZSI6InJlZnJlc2hfdG9rZW4iLCJpYXQiOjE1ODAxNDczOTQsImp0aSI6IjxKVEk-IiwidG9sZXJhbmNlSWQiOjI2fQ.DwuqOzywRrQO2a6yp0K_6V-hR_i_mOB62flkr0_NfFdYsSqahIRRGk1GlUTQnFzHd896XDKf_FnSSvoJg_tzuQ",
  "expires_in": 3599,
  "scope": "user:read"
}

Marketplace Documentation:

* Refreshing an access token

Revoking an Access Token

Supply the access_token you wish to revoke to the Body params.

Navigate to the Auth tab and under Basic Auth fill in the following:

* Username: [ClientID] * Password: [ClientSecret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode the Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/revoke (already pre-populated in this request for you).

Here's an example request to revoke an access token:

POST /oauth/revoke HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 4
token=[ACCESS TOKEN]

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "status": "success"
}

Marketplace Documentation:

* Revoking an access token

Step 1: Request User Authorization

Click the Params tab.

If this is your first time authorizing Zoom API access, update the client_id and redirect_uri variables with the appropriate fields from the App Credentials tab of your OAuth app from the Zoom App Marketplace.

To verify that this is your first time, and to test the manual OAuth 2.0 process, navigate to the Local Test tab of your app and check if it says added. If so, click remove before proceeding with the next action.

After updating the client_id and redirect_uri variables in the Qodex Params tab, the URL should resemble this: https://zoom.us/oauth/authorize?response_type=code&client_id={{ClientID}}&redirect_uri={{redirect_uri}}

Now paste that URL in the browser you logged into the Zoom App Marketplace and using to test this flow and hit enter. Follow the prompt to authorize the app. Once you consent, you'll be redirected to a new page confirming the authorization. You'll also see a new url with a 'code' query parameter includes.Copy this 'code' query parameter. It's needed for the POST Request access token.

Proceed to the next request in this collection to continue.

Developer Documentation:

• Request user authorization

Step 2: Request Access Token

Navigate to the Auth tab and under Basic Auth and fill in the following:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure the Headers key-value field boxes are selected and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token(already pre-populated in this request for you).

If successful, the Response Body will be a JSON response containing the user's access token like the following:

{
  "access_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ2OTkzLCJleHAiOjE1ODAxNTA1OTMsInRva2VuVHlwZSI6ImFjY2Vzc190b2tlbiIsImlhdCI6MTU4MDE0Njk5MywianRpIjoiPEpUST4iLCJ0b2xlcmFuY2VJZCI6MjV9.F9o_w7_lde4Jlmk_yspIlDc-6QGmVrCbe_6El-xrZehnMx7qyoZPUzyuNAKUKcHfbdZa6Q4QBSvpd6eIFXvjHw",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ2OTkzLCJleHAiOjIwNTMxODY5OTMsInRva2VuVHlwZSI6InJlZnJlc2hfdG9rZW4iLCJpYXQiOjE1ODAxNDY5OTMsImp0aSI6IjxKVEk-IiwidG9sZXJhbmNlSWQiOjI1fQ.Xcn_1i_tE6n-wy6_-3JZArIEbiP4AS3paSD0hzb0OZwvYSf-iebQBr0Nucupe57HUDB5NfR9VuyvQ3b74qZAfA",
  "expires_in": 3599,
  "scope": "user:read:admin"
}

Developer Documentation:

• Getting an access token

Refreshing an Access Token

Access tokens expire after one hour. Once expired, you will have to refresh a user's access token.

Take the refresh_token value you received from your POST request access token response and paste it in the refresh_token field in Params.

Navigate to the Auth tab and under Basic Auth and fill in the following:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token (already pre-populated in this request for you).

Here's an example request for a refresh token:

POST /oauth/token HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
refresh_token=[REFRESH TOKEN]&grant_type=refresh_token

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "access_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjE1ODAxNTA5OTQsInRva2VuVHlwZSI6ImFjY2Vzc190b2tlbiIsImlhdCI6MTU4MDE0NzM5NCwianRpIjoiPEpUST4iLCJ0b2xlcmFuY2VJZCI6MjZ9.5c58p0PflZJdlz4Y7PgMIVCrQpHDnbM565iCKlrtajZ5HHmy00P5FCcoMwHb9LxjsUgbJ7653EfdeX5NEm6RoA",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjIwNTMxODczOTQsInRva2VuVHlwZSI6InJlZnJlc2hfdG9rZW4iLCJpYXQiOjE1ODAxNDczOTQsImp0aSI6IjxKVEk-IiwidG9sZXJhbmNlSWQiOjI2fQ.DwuqOzywRrQO2a6yp0K_6V-hR_i_mOB62flkr0_NfFdYsSqahIRRGk1GlUTQnFzHd896XDKf_FnSSvoJg_tzuQ",
  "expires_in": 3599,
  "scope": "user:read"
}

Developer Documentation:

• Refreshing an access token

Revoking an Access Token

Supply the access_token you wish to revoke to the query params.

Navigate to the Auth tab and under Basic Auth fill in the following:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode the Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/revoke (already pre-populated in this request for you).

Here's an example request to revoke an access token:

POST /oauth/revoke HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 4
token=[ACCESS TOKEN]

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "status": "success"
}

Developer Documentation:

• Revoking an access token

Step 1: Request User Authorization

Zoom supports Proof Key for Code Exchange (PKCE) when requesting user tokens. This offers better security by enabling clients to use a code challenge and code exchange as part of the initial user authorization request. See rfc7636 for more information.

Option 1: via Manual Header

To use this feature, send the code_challenge field and optional code_challenge_method field in Params in the user Authorization request. Then send the code_verifier field in the POST Request access token PKCE request params.

If Zoom verifies that the code_challenge and the code_verifier values match, the token endpoint continues processing. If they do not match, you will receive an invalid_grant error.

Option 2: via Auth Helper

Use the Authorization tab to both authorize and retrieve the access token with PKCE. Everything has been configured for you.

Developer Documentation:

• Request user authorization

Refreshing an Access Token

Access tokens expire after one hour. Once expired, you will have to refresh a user's access token.

Take the refresh_token value you received from your POST request access token response and paste it in the refresh_token field in Params.

Navigate to the Auth tab and under Basic Auth and fill in the following:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token (already pre-populated in this request for you).

Here's an example request for a refresh token:

POST /oauth/token HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
refresh_token=[REFRESH TOKEN]&grant_type=refresh_token

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "access_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjE1ODAxNTA5OTQsInRva2VuVHlwZSI6ImFjY2Vzc190b2tlbiIsImlhdCI6MTU4MDE0NzM5NCwianRpIjoiPEpUST4iLCJ0b2xlcmFuY2VJZCI6MjZ9.5c58p0PflZJdlz4Y7PgMIVCrQpHDnbM565iCKlrtajZ5HHmy00P5FCcoMwHb9LxjsUgbJ7653EfdeX5NEm6RoA",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjIwNTMxODczOTQsInRva2VuVHlwZSI6InJlZnJlc2hfdG9rZW4iLCJpYXQiOjE1ODAxNDczOTQsImp0aSI6IjxKVEk-IiwidG9sZXJhbmNlSWQiOjI2fQ.DwuqOzywRrQO2a6yp0K_6V-hR_i_mOB62flkr0_NfFdYsSqahIRRGk1GlUTQnFzHd896XDKf_FnSSvoJg_tzuQ",
  "expires_in": 3599,
  "scope": "user:read"
}

Developer Documentation:

• Refreshing an access token

Revoking an Access Token

Supply the access_token you wish to revoke to the query params.

Navigate to the Auth tab and under Basic Auth fill in the following:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode the Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/revoke (already pre-populated in this request for you).

Here's an example request to revoke an access token:

POST /oauth/revoke HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 4
token=[ACCESS TOKEN]

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "status": "success"
}

Developer Documentation:

• Revoking an access token

Get a User

In order to get your Server-to-Server app access_token, you will need your accountid. The accountid is available on your Server-to-Server app credentials page, but you can also get it programmatically.

Use the Get a user API endpoint to programmatically retrieve the accountid using another pre-created OAuth app type's `accesstoken`.

This will work only if you have already authorized and authenticated Zoom API access via a pre-created OAuth app.

The Auth tab is pre-set to Bearer Token where you can input the access_token of your choice. It will be sent in the Request Headers to the API endpoint.

If successful, you'll receive a response like this:

{
  "id": "zJKyaiAyTNC-MWjiWC18KQ",
  "created_at": "2018-10-31T04:32:37Z",
  "dept": "Developers",
  "email": "jchill@example.com",
  "first_name": "Jill",
  "last_client_version": "5.9.6.4993(mac)",
  "last_login_time": "2021-05-05T20:40:30Z",
  "last_name": "Chill",
  "pmi": 3542471135,
  "role_name": "Admin",
  "timezone": "Asia/Shanghai",
  "type": 1,
  "use_pmi": false,
  "account_id": "q6gBJVO5TzexKYTb_I2rpg",
  "account_number": 10009239,
  "cms_user_id": "KDcuGIm1QgePTO8WbOqwIQ",
  "company": "Jill",
  "custom_attributes": {
    "key": "cbf_cywdkexrtqc73f97gd4w6g",
    "name": "A1",
    "value": "1"
  },
  "employee_unique_id": "HqDyI037Qjili1kNsSIrIg",
  "group_ids": [
    "RSMaSp8sTEGK0_oamiA2_w"
  ],
  "im_group_ids": [
    "t-_-d56CSWG-7BF15LLrOw"
  ],
  "jid": "jchill@example.com",
  "job_title": "API Developer",
  "language": "en-US",
  "location": "Paris",
  "login_type": 101,
  "manager": "thill@example.com",
  "personal_meeting_url": "example.com",
  "phone_country": "US",
  "phone_number": "+1 800000000",
  "phone_numbers": [
    {
      "code": "+1",
      "country": "US",
      "label": "Mobile",
      "number": "800000000",
      "verified": true
    }
  ],
  "pic_url": "example.com",
  "plan_united_type": "1",
  "pronouns": "3123",
  "pronouns_option": 1,
  "role_id": "0",
  "status": "pending",
  "vanity_url": "example.com",
  "verified": 1,
  "cluster": "us04",
  "zoom_one_type": 4
}

Equipped with the account_id, proceed to the next request in this folder.

Developer Documentation:

• Get a user API endpoint

• Get app credentials

Get Access Token

Use the account_id you got from you S2S OAuth app credentials (or the Get a user API endpoint request in the folder) for the account_id value under the Params tab.

Navigate to the Auth tab and under Basic Auth fill in the following account credentials from your Server-to-Server OAuth app:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [collection variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

🚨 There are no refresh tokens for Server-to-Server OAuth app type. To get a new access token, your app should call the /oauth/token endpoint again with the account_credentials grant.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token (already pre-populated in this request for you).

The successful response will be the access token, which is a Bearer token type that expires in an hour, with the scopes that you chose in your app settings screen:

{
      “Access_token“: String,
      “Token_type”: “bearer”,
      “Expire_in”: long,
      “scope” : [String]
}

Developer Documentation:

• Server-to-Server OAuth

• Get app credentials

Refreshing an Access Token

Access tokens expire after one hour. Once expired, you will have to refresh a user's access token.

Take the refresh_token value you received from your POST request access token response and paste it in the refresh_token field in Body.

Navigate to the Auth tab and under Basic Auth and fill in the following:

* Username: [ClientID] * Password: [ClientSecret]

Remember, you can always use the [collection variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token (already pre-populated in this request for you).

Here's an example request for a refresh token:

POST /oauth/token HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
refresh_token=[REFRESH TOKEN]&grant_type=refresh_token

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "access_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjE1ODAxNTA5OTQsInRva2VuVHlwZSI6ImFjY2Vzc190b2tlbiIsImlhdCI6MTU4MDE0NzM5NCwianRpIjoiPEpUST4iLCJ0b2xlcmFuY2VJZCI6MjZ9.5c58p0PflZJdlz4Y7PgMIVCrQpHDnbM565iCKlrtajZ5HHmy00P5FCcoMwHb9LxjsUgbJ7653EfdeX5NEm6RoA",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjIwNTMxODczOTQsInRva2VuVHlwZSI6InJlZnJlc2hfdG9rZW4iLCJpYXQiOjE1ODAxNDczOTQsImp0aSI6IjxKVEk-IiwidG9sZXJhbmNlSWQiOjI2fQ.DwuqOzywRrQO2a6yp0K_6V-hR_i_mOB62flkr0_NfFdYsSqahIRRGk1GlUTQnFzHd896XDKf_FnSSvoJg_tzuQ",
  "expires_in": 3599,
  "scope": "user:read"
}

Marketplace Documentation:

* Refreshing an access token

Revoking an Access Token

Supply the access_token you wish to revoke to the Body params.

Navigate to the Auth tab and under Basic Auth fill in the following:

* Username: [ClientID] * Password: [ClientSecret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode the Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/revoke (already pre-populated in this request for you).

Here's an example request to revoke an access token:

POST /oauth/revoke HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 4
token=[ACCESS TOKEN]

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "status": "success"
}

Marketplace Documentation:

* Revoking an access token

Get a User

In order to get your Server-to-Server app access_token, you will need your accountid. The accountid is available on your Server-to-Server app credentials page, but you can also get it programmatically.

Use the Get a user API endpoint to programmatically retrieve the accountid using another pre-created OAuth app type's `accesstoken`.

This will work only if you have already authorized and authenticated Zoom API access via a pre-created OAuth app.

The Auth tab is pre-set to Bearer Token where you can input the access_token of your choice. It will be sent in the Request Headers to the API endpoint.

If successful, you'll receive a response like this:

{
  "id": "zJKyaiAyTNC-MWjiWC18KQ",
  "created_at": "2018-10-31T04:32:37Z",
  "dept": "Developers",
  "email": "jchill@example.com",
  "first_name": "Jill",
  "last_client_version": "5.9.6.4993(mac)",
  "last_login_time": "2021-05-05T20:40:30Z",
  "last_name": "Chill",
  "pmi": 3542471135,
  "role_name": "Admin",
  "timezone": "Asia/Shanghai",
  "type": 1,
  "use_pmi": false,
  "account_id": "q6gBJVO5TzexKYTb_I2rpg",
  "account_number": 10009239,
  "cms_user_id": "KDcuGIm1QgePTO8WbOqwIQ",
  "company": "Jill",
  "custom_attributes": {
    "key": "cbf_cywdkexrtqc73f97gd4w6g",
    "name": "A1",
    "value": "1"
  },
  "employee_unique_id": "HqDyI037Qjili1kNsSIrIg",
  "group_ids": [
    "RSMaSp8sTEGK0_oamiA2_w"
  ],
  "im_group_ids": [
    "t-_-d56CSWG-7BF15LLrOw"
  ],
  "jid": "jchill@example.com",
  "job_title": "API Developer",
  "language": "en-US",
  "location": "Paris",
  "login_type": 101,
  "manager": "thill@example.com",
  "personal_meeting_url": "example.com",
  "phone_country": "US",
  "phone_number": "+1 800000000",
  "phone_numbers": [
    {
      "code": "+1",
      "country": "US",
      "label": "Mobile",
      "number": "800000000",
      "verified": true
    }
  ],
  "pic_url": "example.com",
  "plan_united_type": "1",
  "pronouns": "3123",
  "pronouns_option": 1,
  "role_id": "0",
  "status": "pending",
  "vanity_url": "example.com",
  "verified": 1,
  "cluster": "us04",
  "zoom_one_type": 4
}

Equipped with the account_id, proceed to the next request in this folder.

Developer Documentation:

• Get a user API endpoint

• Get app credentials

Get Access Token

Use the account_id you got from you S2S OAuth app credentials (or the Get a user API endpoint request in the folder) for the account_id value under the Params tab.

Navigate to the Auth tab and under Basic Auth fill in the following account credentials from your Server-to-Server OAuth app:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [collection variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

🚨 There are no refresh tokens for Server-to-Server OAuth app type. To get a new access token, your app should call the /oauth/token endpoint again with the account_credentials grant.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token (already pre-populated in this request for you).

The successful response will be the access token, which is a Bearer token type that expires in an hour, with the scopes that you chose in your app settings screen:

{
      “Access_token“: String,
      “Token_type”: “bearer”,
      “Expire_in”: long,
      “scope” : [String]
}

Developer Documentation:

• Server-to-Server OAuth

• Get app credentials

Refreshing an Access Token

Access tokens expire after one hour. Once expired, you will have to refresh a user's access token.

Take the refresh_token value you received from your POST request access token response and paste it in the refresh_token field in Body.

Navigate to the Auth tab and under Basic Auth and fill in the following:

* Username: [ClientID] * Password: [ClientSecret]

Remember, you can always use the [collection variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token (already pre-populated in this request for you).

Here's an example request for a refresh token:

POST /oauth/token HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
refresh_token=[REFRESH TOKEN]&grant_type=refresh_token

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "access_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjE1ODAxNTA5OTQsInRva2VuVHlwZSI6ImFjY2Vzc190b2tlbiIsImlhdCI6MTU4MDE0NzM5NCwianRpIjoiPEpUST4iLCJ0b2xlcmFuY2VJZCI6MjZ9.5c58p0PflZJdlz4Y7PgMIVCrQpHDnbM565iCKlrtajZ5HHmy00P5FCcoMwHb9LxjsUgbJ7653EfdeX5NEm6RoA",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjIwNTMxODczOTQsInRva2VuVHlwZSI6InJlZnJlc2hfdG9rZW4iLCJpYXQiOjE1ODAxNDczOTQsImp0aSI6IjxKVEk-IiwidG9sZXJhbmNlSWQiOjI2fQ.DwuqOzywRrQO2a6yp0K_6V-hR_i_mOB62flkr0_NfFdYsSqahIRRGk1GlUTQnFzHd896XDKf_FnSSvoJg_tzuQ",
  "expires_in": 3599,
  "scope": "user:read"
}

Marketplace Documentation:

* Refreshing an access token

Revoking an Access Token

Supply the access_token you wish to revoke to the Body params.

Navigate to the Auth tab and under Basic Auth fill in the following:

* Username: [ClientID] * Password: [ClientSecret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode the Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/revoke (already pre-populated in this request for you).

Here's an example request to revoke an access token:

POST /oauth/revoke HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 4
token=[ACCESS TOKEN]

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "status": "success"
}

Marketplace Documentation:

* Revoking an access token

Step 1: Request User Authorization

Click the Params tab.

If this is your first time authorizing Zoom API access, update the client_id and redirect_uri variables with the appropriate fields from the App Credentials tab of your OAuth app from the Zoom App Marketplace.

To verify that this is your first time, and to test the manual OAuth 2.0 process, navigate to the Local Test tab of your app and check if it says added. If so, click remove before proceeding with the next action.

After updating the client_id and redirect_uri variables in the Qodex Params tab, the URL should resemble this: https://zoom.us/oauth/authorize?response_type=code&client_id={{ClientID}}&redirect_uri={{redirect_uri}}

Now paste that URL in the browser you logged into the Zoom App Marketplace and using to test this flow and hit enter. Follow the prompt to authorize the app. Once you consent, you'll be redirected to a new page confirming the authorization. You'll also see a new url with a 'code' query parameter includes.Copy this 'code' query parameter. It's needed for the POST Request access token.

Proceed to the next request in this collection to continue.

Developer Documentation:

• Request user authorization

Step 2: Request Access Token

Navigate to the Auth tab and under Basic Auth and fill in the following:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure the Headers key-value field boxes are selected and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token(already pre-populated in this request for you).

If successful, the Response Body will be a JSON response containing the user's access token like the following:

{
  "access_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ2OTkzLCJleHAiOjE1ODAxNTA1OTMsInRva2VuVHlwZSI6ImFjY2Vzc190b2tlbiIsImlhdCI6MTU4MDE0Njk5MywianRpIjoiPEpUST4iLCJ0b2xlcmFuY2VJZCI6MjV9.F9o_w7_lde4Jlmk_yspIlDc-6QGmVrCbe_6El-xrZehnMx7qyoZPUzyuNAKUKcHfbdZa6Q4QBSvpd6eIFXvjHw",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ2OTkzLCJleHAiOjIwNTMxODY5OTMsInRva2VuVHlwZSI6InJlZnJlc2hfdG9rZW4iLCJpYXQiOjE1ODAxNDY5OTMsImp0aSI6IjxKVEk-IiwidG9sZXJhbmNlSWQiOjI1fQ.Xcn_1i_tE6n-wy6_-3JZArIEbiP4AS3paSD0hzb0OZwvYSf-iebQBr0Nucupe57HUDB5NfR9VuyvQ3b74qZAfA",
  "expires_in": 3599,
  "scope": "user:read:admin"
}

Developer Documentation:

• Getting an access token

Refreshing an Access Token

Access tokens expire after one hour. Once expired, you will have to refresh a user's access token.

Take the refresh_token value you received from your POST request access token response and paste it in the refresh_token field in Params.

Navigate to the Auth tab and under Basic Auth and fill in the following:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token (already pre-populated in this request for you).

Here's an example request for a refresh token:

POST /oauth/token HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
refresh_token=[REFRESH TOKEN]&grant_type=refresh_token

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "access_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjE1ODAxNTA5OTQsInRva2VuVHlwZSI6ImFjY2Vzc190b2tlbiIsImlhdCI6MTU4MDE0NzM5NCwianRpIjoiPEpUST4iLCJ0b2xlcmFuY2VJZCI6MjZ9.5c58p0PflZJdlz4Y7PgMIVCrQpHDnbM565iCKlrtajZ5HHmy00P5FCcoMwHb9LxjsUgbJ7653EfdeX5NEm6RoA",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjIwNTMxODczOTQsInRva2VuVHlwZSI6InJlZnJlc2hfdG9rZW4iLCJpYXQiOjE1ODAxNDczOTQsImp0aSI6IjxKVEk-IiwidG9sZXJhbmNlSWQiOjI2fQ.DwuqOzywRrQO2a6yp0K_6V-hR_i_mOB62flkr0_NfFdYsSqahIRRGk1GlUTQnFzHd896XDKf_FnSSvoJg_tzuQ",
  "expires_in": 3599,
  "scope": "user:read"
}

Developer Documentation:

• Refreshing an access token

Revoking an Access Token

Supply the access_token you wish to revoke to the query params.

Navigate to the Auth tab and under Basic Auth fill in the following:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode the Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/revoke (already pre-populated in this request for you).

Here's an example request to revoke an access token:

POST /oauth/revoke HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 4
token=[ACCESS TOKEN]

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "status": "success"
}

Developer Documentation:

• Revoking an access token

Step 1: Request User Authorization

Zoom supports Proof Key for Code Exchange (PKCE) when requesting user tokens. This offers better security by enabling clients to use a code challenge and code exchange as part of the initial user authorization request. See rfc7636 for more information.

Option 1: via Manual Header

To use this feature, send the code_challenge field and optional code_challenge_method field in Params in the user Authorization request. Then send the code_verifier field in the POST Request access token PKCE request params.

If Zoom verifies that the code_challenge and the code_verifier values match, the token endpoint continues processing. If they do not match, you will receive an invalid_grant error.

Option 2: via Auth Helper

Use the Authorization tab to both authorize and retrieve the access token with PKCE. Everything has been configured for you.

Developer Documentation:

• Request user authorization

Refreshing an Access Token

Access tokens expire after one hour. Once expired, you will have to refresh a user's access token.

Take the refresh_token value you received from your POST request access token response and paste it in the refresh_token field in Params.

Navigate to the Auth tab and under Basic Auth and fill in the following:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token (already pre-populated in this request for you).

Here's an example request for a refresh token:

POST /oauth/token HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
refresh_token=[REFRESH TOKEN]&grant_type=refresh_token

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "access_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjE1ODAxNTA5OTQsInRva2VuVHlwZSI6ImFjY2Vzc190b2tlbiIsImlhdCI6MTU4MDE0NzM5NCwianRpIjoiPEpUST4iLCJ0b2xlcmFuY2VJZCI6MjZ9.5c58p0PflZJdlz4Y7PgMIVCrQpHDnbM565iCKlrtajZ5HHmy00P5FCcoMwHb9LxjsUgbJ7653EfdeX5NEm6RoA",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjIwNTMxODczOTQsInRva2VuVHlwZSI6InJlZnJlc2hfdG9rZW4iLCJpYXQiOjE1ODAxNDczOTQsImp0aSI6IjxKVEk-IiwidG9sZXJhbmNlSWQiOjI2fQ.DwuqOzywRrQO2a6yp0K_6V-hR_i_mOB62flkr0_NfFdYsSqahIRRGk1GlUTQnFzHd896XDKf_FnSSvoJg_tzuQ",
  "expires_in": 3599,
  "scope": "user:read"
}

Developer Documentation:

• Refreshing an access token

Revoking an Access Token

Supply the access_token you wish to revoke to the query params.

Navigate to the Auth tab and under Basic Auth fill in the following:

• Username: [Client_ID]
• Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode the Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/revoke (already pre-populated in this request for you).

Here's an example request to revoke an access token:

POST /oauth/revoke HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 4
token=[ACCESS TOKEN]

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "status": "success"
}

Developer Documentation:

• Revoking an access token

Use this API to create a meeting for a user. For user-level apps, pass the me value instead of the userId parameter.

• A meeting's start_url value is the URL a host or an alternative host can use to start a meeting. The expiration time for the start_url value is two hours for all regular users.
• For custCreate meeting hosts (users created with the custCreate parameter via the Create users API), the expiration time of the start_url parameter is 90 days from the generation of the start_url.

Note:

For security reasons, the recommended way to programmatically (after expiry) get the updated start_url value is to call the Get a meeting API. Refer to the start_url value in the response.

Scopes: meeting:write:admin, meeting:write

Rate Limit Label: Medium
* This API has a daily rate limit of 100 requests per day. The rate limit is applied against the userId of the meeting host used to make the request.

Use this API to list a user's (meeting host) scheduled meetings. For user-level apps, pass the me value instead of the userId parameter.

Note: * This API only supports scheduled meetings. This API does not return information about instant meetings. * This API only returns a user's unexpired meetings.

Scopes: meeting:read:admin, meeting:read
Rate Limit Label: Medium

Retrieve the details of a meeting.

Scopes: meeting:read:admin meeting:read

Rate Limit Label: Light

Delete a meeting.

Scopes: meeting:write:admin meeting:write

Rate Limit Label: Light

Use this API to update a meeting's details.

Note: * This API has a rate limit of 100 requests per day. Because of this, a meeting can only be updated for a maximum of 100 times within a 24-hour period. * The start_time value must be a future date. If the value is omitted or a date in the past, the API ignores this value and will not update any recurring meetings. * If the start_time value is a future date, the recurrence object is required.

Scopes: meeting:write:admin, meeting:write
Rate Limit Label: Light

Get details for a scheduled Zoom Webinar.

Prerequisites: * Pro or higher plan with a Webinar add-on.

Scopes: webinar:read:admin,webinar:read

Rate Limit Label: LIGHT

Delete a webinar.

Prerequisites:

• Pro or higher plan with the webinar add-on.

Scopes: webinar:write,webinar:write:admin

Rate Limit Label: LIGHT

Make updates to a scheduled webinar.

100 requests per day. The rate limit is applied to the userId of the webinar host used to make the request.

Prerequisites * A Pro or higher plan with a webinar add-on.

Scopes: webinar:write,webinar:write:admin

Rate Limit Label: LIGHT

List all the webinars scheduled by or on behalf a webinar host. For user-level apps, pass the me value instead of the userId parameter.

Zoom users with a webinar plan have access to creating and managing webinars. Webinars let a host broadcast a Zoom meeting to up to 10,000 attendees.

Note This API only returns a user's unexpired webinars.

Prerequisites * A Pro or higher plan with the webinar add-on.

Scopes: webinar:read:admin,webinar:read

Rate Limit Label: MEDIUM

Get Meeting's Closed Caption Token

Use this API to get a meeting's closed caption token (caption URL). This token lets you use a third-party service to stream text to their closed captioning software to the Zoom meeting.

Support Documentation:

• Using a third-party closed captioning service

API Reference:

• Get meeting's Token API

custCreate User

Users created with this custCreate action do not have passwords and will not have the ability to log in to the Zoom web portal or Zoom clients. These users can still host and join meetings using the starturl and joinurl respectively

Create a Meeting with custCreate User

CustCreate users are non-login users created via API. If you create a meeting via API, you can specify the user ID of the API user as the host. The starturl will reflect them as the meeting host when used to start the meeting—this will launch the Zoom Client. Please note the expiration time of the `starturlparameter is **90 days** from the generation of thestart_url`.

Get in-meeting Chat

After a meeting has ended and the recording files are finished processing, call the GET Meetings Recordings endpoint.

In the payload you will see the filetype of CHAT which you can then download via the downloadurl.

Prerequisites

• Ensure the meeting is recorded
• Ensure the Save chat messages from the meeting / webinar setting is enabled.

Support Article:

• Chatting in a Zoom meeting

API Reference:

• Get meeting recordings

Add a Meeting Registrant

Use the Meeting Registration to generate unique join URLs for each participant. The unique join URLs (registration link) allow a user to join a meeting with their first/last name pre-set.

Support Article:

• Scheduling a meeting with registration

API Reference:

• Add a meeting registrant
• Get a meeting registrant
• List meeting registrants
• Perform batch registration
• Delete a meeting registrant

Add a Webinar Registrant

Use the Webinar Registration to generate unique join URLs for each participant. The unique join URLs (registration link) allow a user to join a meeting with their first/last name pre-set.

Support Article:

• Scheduling a webinar with registration

API Reference:

• Add a webinar registrant
• Get a webinar registrant
• List webinar registrants
• Perform batch registration
• Delete a webinar registrant

Get Meeting Token (Caption URL)

As a meeting host, you can add closed captions to Zoom meetings by providing the third-party closed captioning service with the caption URL. The caption URL allows the third-party service to stream text from their closed captioning software to the Zoom meeting. This article defines the format used by Zoom to receive Closed Caption data.

If you are new to using closed captioning with Zoom, please refer to our closed captioning overview.

Use this API to return all of a meeting's recordings. The recording files can be downloaded via the download_url property listed in the response.

To access a password-protected cloud recording, add an access_token parameter to the download URL and provide OAuth access token or JWT as the access_token value.

Scopes: recording:read:admin, recording:read
Rate Limit Label: Light

Delete all recording files of a meeting.

Scopes: recording:write:admin recording:write
Rate Limit Label: Light
Prerequisites: * Cloud Recording should be enabled on the user's account.

Creates a new draft email message.

Scopes: mail:write

Rate Limit Label: MEDIUM

Not supported in Gov cluster

Lists the draft messages in the mailbox.

Scopes: mail:read

Rate Limit Label: MEDIUM

Not supported in Gov cluster

Sends the specified draft.

Scopes: mail:write

Rate Limit Label: MEDIUM

Not supported in Gov cluster

Retrieves the specified draft.

Scopes: mail:read

Rate Limit Label: LIGHT

Not supported in Gov cluster

Replaces a draft email's content.

Scopes: mail:write

Rate Limit Label: MEDIUM

Not supported in Gov cluster

Immediately and permanently deletes the specified draft.

Scopes: mail:write

Rate Limit Label: LIGHT

Not supported in Gov cluster

Gets vacation respondes settings.

Scopes: mail:read

Rate Limit Label: LIGHT

Not supported in Gov cluster

Updates vacation responder settings.

Scopes: mail:write

Rate Limit Label: LIGHT

Not supported in Gov cluster

Gets language settings

Scopes: mail:read

Rate Limit Label: LIGHT

Not supported in Gov cluster

Updates language settings.

Scopes: mail:write

Rate Limit Label: LIGHT

Not supported in Gov cluster