App Credentials

App credentials consist of the client ID and the client secret or public key for authentication. They are used in combination to authenticate and authorize your app securely.

The Client ID in a Zoom app is a unique identifier assigned to your application when you register it in the Zoom App Marketplace. It is used in authentication and authorization processes, particularly when integrating your app with Zoom's APIs.

For the key part of the authentication you can choose from:

  • Client Secret is a confidential key generated by Zoom and assigned to your Zoom app.

  • Public Key is also known as bring your own key (BYOK) because you provide the cryptographic key. Public key authentication gives you control over your application's security by enabling you to manage your own encryption keys.

    This approach is especially valuable for applications with strict security compliance requirements or specific key management policies.

    For more information, see BYOK.

Do not share your client ID and secret

Any application with access to your client ID and client secret can access your Zoom data. Sharing these credentials is equivalent to sharing your username and password and violates Zoom's Terms of Use.

Credentials in Development vs Production

The build flow provides two app credentials for your app: production and development. It is important that you use the correct app credentials when submitting your app for review.

  • Use the Production client ID for the initial request to publish your app. Initial (first time) submissions are also called "Create" requests.
  • Use the Development client ID when:
    • Submitting app updates. Reviewers use this ID to test updated scopes.
    • Testing your app during development before it's published.

When to use development credentials

  • Testing OAuth authentication (before app is published) When setting up OAuth for user authorization, the development client ID and client secret are used to generate access tokens.

    Example OAuth request during development:

    bashCopyEditPOST https://zoom.us/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=DEV_AUTHORIZATION_CODE
&redirect_uri=YOUR_DEV_REDIRECT_URI
&client_id=YOUR_DEV_CLIENT_ID
&client_secret=YOUR_DEV_CLIENT_SECRET

  • Testing webhooks (before app is published) Webhooks configured in the development environment will use development credentials to validate events (e.g., meeting start, end, participant join).

  • Using development API keys for SDK apps If you're developing an app using the Zoom SDK (e.g., for embedding Zoom meetings), development credentials are needed to initialize the SDK and test functionality.

  • Sandbox testing before production deployment You can simulate real-world scenarios using development credentials without impacting production users.

When to switch to production credentials

  • When your app is fully tested and ready for real users.
  • When you submit your app for Zoom Marketplace approval.
  • When transitioning from local testing to a live production environment.

Common mistakes

  • Using production credentials when submitting a request to publish your app. When submitting a publish request, make sure your request includes the production credentials.

    Example:

    https://zoom.us/oauth/authorize?response_type=code&client_id=CLIENT_ID[PROD]&redirect_uri=https://example.integration.test/zoom/login/callback
    ```

  • Using development credentials when submitting updates. For more information, see Why your app requires a production environment to create requests?