- Local Recording Token: Lets the bot record meetings without asking permission from the host
- Onbehalf Token: Associates the bot with the user it is joining the meeting on behalf of. After March 2, 2026, all bots joining external meetings will be required to use this token. See here for the official announcement from Zoom.
callback_settings.zoom_tokens_url parameter when calling the POST /api/v1/bots endpoint.
How it works
When a user authorizes your Zoom app through OAuth:Generate local recording token
When your bot joins a meeting hosted by that user, Attendee generates a local recording token using the stored credentials.
Create a Zoom App
You’ll need to create a Zoom OAuth App that your users will authorize. We recommend creating separate apps for development and production. You will need to choose whether you want to use the local recording token or the onbehalf token or both. Since the onbehalf token will be required after March 2, 2026, we highly recommend you use it. The local recording token is only needed if your bots are recording meetings and you want to record meetings without asking permission from the host.Create app
Go to the Zoom Developer Portal and create a new General app.
Configure basic information
On the sidebar select ‘Basic Information’. For the OAuth redirect URL, enter your application’s OAuth callback URL.
Add scopes for local recording token
On the sidebar select ‘Scopes’. Add the following scopes if you want to use the local recording token:
user:read:usermeeting:read:list_meetingsmeeting:read:local_recording_tokenuser:read:zak
Register your Zoom App with Attendee
Once you’ve created your Zoom app, you need to register it with Attendee. We recommend creating Attendee projects for development and production. These projects will correspond to your development and production Zoom applications.Webhook secret is only needed if you are using the local recording token.
Configure Zoom App Webhooks
These steps are only needed if you are using the local recording token.
Copy webhook URL
In the Attendee dashboard, click the Webhook url button on your newly created Zoom OAuth App credentials.
Configure event subscription
Go back to the Zoom Developer Portal and go to Features → Access in the sidebar. Toggle Event subscription and click Add new Event Subscription.
Add webhook URL
For the Event notification endpoint URL, enter the webhook url you copied earlier from the Attendee dashboard.
Select event types
Select these event types:
Meeting has been createdUser's profile info has been updated
Configure Attendee webhooks
Create webhook
Click on ‘Create Webhook’ and select the
zoom_oauth_connection.state_change trigger. This will be triggered when one your users’ Zoom credentials becomes invalid, usually because they uninstalled your app.Add OAuth Flow Logic to Your Application
You will need to add code to your application that handles the OAuth flow and calls the Attendee API to create a Zoom OAuth connection for your user.Add auth endpoint
Add an
auth endpoint that your application will use to redirect users to the OAuth flow.Add callback endpoint
Add a
callback endpoint that your application will use to handle the OAuth callback.Create Zoom OAuth connection
In your callback endpoint, you’ll take the access code and make a POST /zoom_oauth_connections request to the Attendee API to create a new Zoom OAuth connection for the user who just authorized your application.
Change your code for launching Zoom bots
For Attendee to use the onbehalf token, you need to specify the zoom user the bot is joining on behalf of. You can do this by passing the user’s zoom user id in thezoom_settings.onbehalf_token.zoom_oauth_connection_user_id parameter when launching the bot.
Add Webhook processing logic to your application for the zoom_oauth_connection.state_change trigger
When you receive a webhook with trigger typezoom_oauth_connection.state_change, it means that the Zoom OAuth connection has moved to the disconnected state. This can happen if the user revokes access to the Zoom app or their Zoom account is deleted.
In your application, you should update the Zoom OAuth connection in your database to reflect the disconnected state.
FAQ
Will my Zoom app stop working after March 2, 2026, if we don’t use the onbehalf token?
Yes, this is Zoom’s official deadline. However, Attendee is in contact with Zoom and can request extensions for individual apps that are using Attendee. Please reach out on Slack if you need help getting an extension. Note that if your bot only joins meetings within your Zoom account, you don’t need to use the onbehalf token.Why can’t I delete the Zoom OAuth App credentials?
We don’t allow you to delete the Zoom OAuth App credentials if there are any Zoom OAuth connections associated with it. You will need to intentionally delete all the associated Zoom OAuth connections first. You can do this by listing all the associated Zoom OAuth connections and then deleting them one by one.What happens if the onbehalf token user is not in the meeting when the bot joins?
The bot will not be able to join until this user has entered the meeting. Attendee will keep trying to join until a timeout is reached. The timeout can be configured in theautomatic_leave_settings.authorized_user_not_in_meeting_timeout_seconds parameter when launching the bot. It defaults to 600 seconds.
For more details on onbehalf token related behavior see here.