Zoom Server-to-Server OAuth Apps

Zoom Server-to-Server OAuth apps let your workflows authenticate to Zoom at the account level instead of through a person's OAuth login. A Zoom admin creates the app once, grants it exactly the scopes it needs, and Sim mints short-lived access tokens from the app's credentials on demand — no user consent to expire, and permissions that are auditable from the Zoom Marketplace.

This is the recommended way to use Zoom in production workflows: the credentials don't depend on any user staying logged in, the granted scopes are explicit, and tokens are minted fresh whenever a workflow runs.

Prerequisites

You need a Zoom admin whose role has permission to view and edit Server-to-Server OAuth apps, plus permission for the scopes the app will use. The Develop option in the Zoom Marketplace only appears for accounts with this permission.

Scope selection is capped by the creating admin's own role permissions, and Zoom automatically removes admin-level scopes from the app if that admin's role is later downgraded — workflows then start failing with scope errors even though nothing changed in Sim. Create the app from an admin account you expect to keep.

Setting Up the Server-to-Server OAuth App

1. Create the App

Sign in at marketplace.zoom.us as a Zoom admin, click DevelopBuild an app, select Server-to-Server OAuth app, and click Create. Give it a name (e.g. Sim)

On the App Credentials page, copy the Account ID, Client ID, and Client secret — these are the three values you'll paste into Sim

Use the Account ID from this App Credentials page — it's an opaque string, not a number. The numeric account number shown in your Zoom web-portal profile is a different value, and pasting it is a documented common mistake that produces "bad request" errors when minting tokens.

In the Information section, fill in the required short description, company name, and developer name and email — the app can't be activated without them

In Scopes, click Add Scopes and add the admin-level granular scopes your workflows need (see the list below)

In Activation, resolve any remaining blockers and activate the app

Tokens cannot be minted until the app is activated — and deactivating it later immediately kills every token it has issued, stopping all workflows that use the credential.

2. Choose Scopes

Server-to-Server OAuth apps use Zoom's granular scopes with account-level (:admin) variants. Grant only what your workflows use. The set Sim's Zoom tools can draw on is:

Users:

user:read:user:admin

Meetings:

meeting:read:meeting:admin
meeting:read:list_meetings:admin
meeting:write:meeting:admin
meeting:update:meeting:admin
meeting:delete:meeting:admin
meeting:read:invitation:admin
meeting:read:list_past_participants:admin

Cloud recordings:

cloud_recording:read:list_user_recordings:admin
cloud_recording:read:list_recording_files:admin
cloud_recording:delete:recording_file:admin

Match these against what the Marketplace Scopes picker actually offers — Zoom's granular-scope catalog shows the :admin variants for account-level apps, but names occasionally differ from the user-level scopes Sim's OAuth flow requests. If a picker entry differs slightly from this list, prefer the picker's name for the matching action.

A missing scope surfaces at run time as a 4xx error from the Zoom API naming a scope problem. Add the scope in the app's Scopes section and re-run the workflow — no changes are needed in Sim.

3. Copy the Credentials

The Client secret is bearer material for your entire Zoom account, limited only by the app's scopes. Treat it like a password — do not commit it to source control or share it publicly. Sim encrypts it at rest.

Regenerating the Client secret in the Zoom Marketplace invalidates the stored pair. If you rotate it, update the credential in Sim right away.

Adding the Service Account to Sim

Open Integrations from your workspace sidebar

Search for "Zoom" and open it, then click Add to Sim and choose Add server-to-server app

In the Add Zoom server-to-server app dialog, paste the Client ID, Client secret, and Account ID, and optionally set a display name and description

Click Add server-to-server app. Sim verifies the credentials by minting a real access token from Zoom — if it fails, the error tells you whether Zoom rejected the credentials or couldn't be reached. A rejection usually means bad credentials, an app that isn't a Server-to-Server OAuth app, or an app that hasn't been activated.

Using the Service Account in Workflows

Add a Zoom block to your workflow. In the credential dropdown, your Zoom service account appears alongside any OAuth credentials. Select it and configure the block as you normally would.

The block calls api.zoom.us with a freshly minted access token — the same requests as the OAuth flow, so every Zoom tool works, subject to the scopes you granted.

The me keyword does not work with service accounts. With a personal OAuth connection, user-scoped operations (create meeting, list meetings, list recordings) accept me for the connected user. A Server-to-Server app has no user context — Zoom rejects me with an error like "This API does not support client credentials for authorization." Always pass an explicit user ID or email address in the block's user field when using a service account.

Sim's Zoom tools call the standard api.zoom.us host. Standard commercial Zoom accounts work as-is; Zoom for Government and other regionally partitioned accounts may not be reachable at that host and aren't currently supported with service accounts.

Token Behavior

Access tokens minted from the app live for one hour and there is no refresh token — Sim simply mints a new token when one is needed. Zoom explicitly allows multiple concurrently valid tokens, so minting never invalidates workflows already in flight. Two events do kill tokens:

  • Deactivating the app — all minted tokens die immediately and no new ones can be issued until it's reactivated
  • Regenerating the Client secret — the stored credentials stop working; paste the new secret into the credential in Sim

Common Questions

The app authenticates as your Zoom account, not as a person — nothing expires when someone leaves or their login lapses. An admin grants it explicit scopes once, and Sim mints short-lived tokens from the stored credentials whenever a workflow runs.
Sim surfaces this as its general authentication error. The most common cause is pasting the numeric account number from the Zoom web portal instead of the Account ID from the app's App Credentials page. They are different values — the App Credentials Account ID is an opaque string. Copy all three values from the App Credentials page.
A common cause is that the Client ID and secret belong to a regular OAuth app, not a Server-to-Server OAuth app — Zoom's token endpoint reports this as an unsupported grant type. Only Server-to-Server OAuth apps support account-level token minting — create one under Develop → Build an app in the Zoom Marketplace. An app that hasn't been activated yet also can't mint tokens — activate it in the Marketplace first.
The block's user field is set to 'me', which only works with a personal OAuth connection. Service accounts have no user context — enter the target Zoom user's email address or user ID instead.
Zoom automatically strips admin-level scopes from the app if the admin who created it loses the matching role permissions. Check the app's Scopes section in the Marketplace, re-add what's missing (from an admin with sufficient permissions), and re-run.
Regenerate the Client secret on the app's App Credentials page in the Zoom Marketplace, then update the credential in Sim with the new secret. Note that the old secret stops working as soon as it's regenerated, so update Sim promptly.

On this page