Authorization
Rivet handles authorization out-of-the-box, so you can spend more time developing critical business logic. This section describes how each Rivet module handles authorization. Rivet currently supports Zoom's client_credentials, account_credentials and authorization_code OAuth grant types, and Video SDK JWT Auth.
Authorize Zoom Rivet modules
Zoom offers several authorization methods depending on the developer product.
Reference the matrix in the table below to see how authorization works for each Zoom Rivet module.
| Module | Auth type |
|---|---|
| Chatbot | Client credentials |
| Video SDK | JSON Web Token |
| Chat, Meetings, Phone, Accounts, Users | User OAuth, Server OAuth |
Authorize with User OAuth
For admins and users to manage Zoom products, they need User OAuth authorization on Zoom's website. Zoom Rivet supports authorization with the default HttpReceiver. ( AwsLambdaReceiver does not support User OAuth.)
If your client uses User OAuth (e.g., Chat) and the receiver supports User OAuth (e.g., HttpReceiver), you must provide installerOptions.
By default, Zoom Rivet stores authorization tokens in memory. So you'll need to authorize again each time the server restarts. We recommend setting up persistent token storage for a smoother experience.
User OAuth options
Each authorization type has its own requirements. Server OAuth requires clientId, clientSecret, and installerOptions. See the following example of how to instantiate a User OAuth client:
const usersClient = new UsersOAuthClient({
clientId: process.env.CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET,
webhooksSecretToken: process.env.WEBHOOK_SECRET_TOKEN,
installerOptions: {
redirectUri: "",
stateStore: "",
},
});
This table lists the configurable options for OAuth authorization in Zoom Rivet. Each option indicates whether it is required or optional, provides a default value if applicable, and explains its function.
| Option | Optional or required | Description |
|---|---|---|
directInstall?: boolean | Optional, default: false | Skips the installation page and redirects users directly to Zoom for authorization. |
installPath?: string | Optional, default: /zoom/oauth/install | The HTTP endpoint or URL you visit in the browser to complete authorization. |
redirectUri: string | Required, no default | The redirect URI appended to the authorization URL for Zoom's OAuth server. |
redirectUriPath?: string | Optional, default: /zoom/oauth/callback | The endpoint or path added to redirectUri. It directs you back with your authorization code after authorization with Zoom's OAuth server. |
stateStore: StateStore; string | Required, no default | The state store generates and verifies against cross-site request forgery (CSRF) attacks. If the type is StateStore, a custom state store generates and verifies state tokens. If the type is string, JwtStateStore uses the value as the JWT signing secret by default. |
Complete authorization with User OAuth
To complete the authorization process, Zoom Rivet provides a default installation page at /zoom/oauth/install, unless you modify it with the installPath property.
When you navigate to this page, a simple static page appears. When you choose the button, it redirects you to Zoom to authorize Zoom Rivet. If you want to skip the installation page and redirect users directly to Zoom, set directInstall to true in the installationOptions.
You can use a default or custom path to access Zoom Rivet's authorization page.
-
Default
installPath: http://localhost:{PORT}/zoom/oauth/install -
Custom
installPath: http://localhost:{PORT}/{installPath}
Redirect to Zoom Rivet
Zoom Rivet offers a ready-to-use User OAuth setup with a seamless redirect experience. Once Zoom authorizes you and redirects you back, Zoom Rivet automatically uses the authorization code to generate initial access.
Zoom requires you to specify the full redirect URI in the Marketplace web portal before it allows authorization with Zoom Rivet.
State store
Zoom appends an opaque state value during User OAuth authorization, which helps prevent CSRF attacks.
By default, Zoom Rivet generates a JWT token and verifies it against a JWT-based state store once authorization is complete. To use your own state store, implement the StateStore interface and pass it in through installerOptions.
To learn more about User OAuth, see Integrations (OAuth apps).
Authorize with Server OAuth
A Server OAuth app enables you to securely integrate with Zoom APIs and get your account owner access token without user interaction. This is different from the User OAuth authorization type, which requires user authentication.
Account administrators or users with role-based access permissions to create, edit, or view Server OAuth apps can add and manage Server OAuth apps.
Server OAuth options
Each authorization type has its own requirements. Server OAuth requires clientId, clientSecret, and accountId. See the following example of how to instantiate a Server OAuth client:
const meetingsClient = new MeetingsS2SAuthClient({
clientId: process.env.CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET,
webhooksSecretToken: process.env.WEBHOOK_SECRET_TOKEN,
accountId: process.env.ACCOUNT_ID,
});
To learn more about Server OAuth, see Internal apps (Server-to-server).
Authorize with Client Credentials
To send, update, or delete Chatbot messages, Chatbots must be authorized. Chatbots authorize through the client_credentials grant type.
Client Credentials authorization options
Each authorization type has its own requirements. Client Credentials authorization requires clientId and clientSecret. See the following example of how to instantiate a Client Credentials client:
const chatbotClient = new ChatbotClient({
clientId: process.env.CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET,
webhooksSecretToken: process.env.WEBHOOK_SECRET_TOKEN,
});
To learn more about client credentials, see Authentication.
Authorize with JSON Web Token
Zoom Video SDK APIs use JSON Web Tokens (JWT) for authorization. Each request to the Video SDK API must be authorized by an encrypted Video SDK API JWT.
JSON Web Token authorization options
Each authorization type has its own requirements. JSON Web Token authorization requires clientId and clientSecret. See the following example of how to instantiate a JSON Web Token client:
const videosdkClient = new VideoSdkClient({
clientId: process.env.CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET,
webhooksSecretToken: process.env.WEBHOOK_SECRET_TOKEN,
});
To learn more about JSON Web Tokens, see Integrations (OAuth apps).