Logo
Zoom Public API Documentation

API Authorization & Authentication-Legacy Applications-OAuth App-OAuth 2.0 with PKCE

Number of APIs: 3


1. Revoke an access token

POST https://zoom.us/oauth/revoke

Revoking an Access Token

Supply the access_token you wish to revoke to the query params.

Navigate to the Auth tab and under Basic Auth fill in the following:

  • Username: [Client_ID]
  • Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode the Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/revoke (already pre-populated in this request for you).

Here's an example request to revoke an access token:

POST /oauth/revoke HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 4
token=[ACCESS TOKEN]

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "status": "success"
}

Developer Documentation:


2. Refresh access token

POST https://zoom.us/oauth/token

Refreshing an Access Token

Access tokens expire after one hour. Once expired, you will have to refresh a user's access token.

Take the refresh_token value you received from your POST request access token response and paste it in the refresh_token field in Params.

Navigate to the Auth tab and under Basic Auth and fill in the following:

  • Username: [Client_ID]
  • Password: [Client_Secret]

Remember, you can always use the [global variables] feature and syntax within Qodex or directly paste those values in the respective form fields if you do not wish to edit/use the global variables feature.

Alternatively, you can clear the Auth tab fields, and use the Headers tab per our Zoom documentation.

If you go this route, make sure to re-check the Headers key-value field boxes and Base64-encode your Client_ID:Client_Secret (with the colon between the two and no spaces) before pasting in the Authorization value field.

Once you're done, send the POST request to https://zoom.us/oauth/token (already pre-populated in this request for you).

Here's an example request for a refresh token:

POST /oauth/token HTTP/1.1
Host: zoom.us
Authorization: Basic base64Encode(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
refresh_token=[REFRESH TOKEN]&grant_type=refresh_token

If successful, the response body will be a JSON representation of your user's refreshed access token like this:

{
  "access_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjE1ODAxNTA5OTQsInRva2VuVHlwZSI6ImFjY2Vzc190b2tlbiIsImlhdCI6MTU4MDE0NzM5NCwianRpIjoiPEpUST4iLCJ0b2xlcmFuY2VJZCI6MjZ9.5c58p0PflZJdlz4Y7PgMIVCrQpHDnbM565iCKlrtajZ5HHmy00P5FCcoMwHb9LxjsUgbJ7653EfdeX5NEm6RoA",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI8S0lEPiJ9.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiI8Q2xpZW50X0lEPiIsImNvZGUiOiI8Q29kZT4iLCJpc3MiOiJ1cm46em9vbTpjb25uZWN0OmNsaWVudGlkOjxDbGllbnRfSUQ-IiwiYXV0aGVudGljYXRpb25JZCI6IjxBdXRoZW50aWNhdGlvbl9JRD4iLCJ1c2VySWQiOiI8VXNlcl9JRD4iLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiPEFjY291bnRfSUQ-IiwibmJmIjoxNTgwMTQ3Mzk0LCJleHAiOjIwNTMxODczOTQsInRva2VuVHlwZSI6InJlZnJlc2hfdG9rZW4iLCJpYXQiOjE1ODAxNDczOTQsImp0aSI6IjxKVEk-IiwidG9sZXJhbmNlSWQiOjI2fQ.DwuqOzywRrQO2a6yp0K_6V-hR_i_mOB62flkr0_NfFdYsSqahIRRGk1GlUTQnFzHd896XDKf_FnSSvoJg_tzuQ",
  "expires_in": 3599,
  "scope": "user:read"
}

Developer Documentation:


3. Request user authorization PKCE

GET https://zoom.us/oauth/token?response_type=code&client_id={{oAuthDevClientId}}&redirect_uri={{oAuthDevRedirectUri}}&code_challenge=

Step 1: Request User Authorization

Zoom supports Proof Key for Code Exchange (PKCE) when requesting user tokens. This offers better security by enabling clients to use a code challenge and code exchange as part of the initial user authorization request. See rfc7636 for more information.

Option 1: via Manual Header

To use this feature, send the code_challenge field and optional code_challenge_method field in Params in the user Authorization request. Then send the code_verifier field in the POST Request access token PKCE request params.

If Zoom verifies that the code_challenge and the code_verifier values match, the token endpoint continues processing. If they do not match, you will receive an invalid_grant error.

Option 2: via Auth Helper

Use the Authorization tab to both authorize and retrieve the access token with PKCE. Everything has been configured for you.

Developer Documentation:


  • Ask Qodex

  • Introduction

  • FAQs

  • More

    Github

    Developer Website

    Claim this page

    Report this page

ENDPOINTS