Architecture

Architect your Zoom App to have a front-end that displays the WebView of your web application containing any interactive components and data that are useful to the user and a backend that can at minimum handle user authorization, Zoom API calls, app launch and page redirects.

This document provides details on the different processes that your app's backend must support.

OWASP secure headers for app home URL and html

The Open Web Application Security Project (OWASP) recommends a set of https headers for web applications that increase security and reduce browser vulnerability to attack. For more information, including specific guidance and tools, see OWASP.

The Zoom Apps platform enforces a subset of the OWASP recommendations. The https MIME type text/html response from your server for the app's home URL must be decorated with security headers recommended by the OWASP Secure Headers Project. The Zoom client validates all document (MIME type text/html) responses with a 200 status code for the presence of OWASP Secure Headers. Ensure that your app backend decorates its html responses with the following headers:

  • Strict-Transport-Security
  • X-Content-Type-Options
  • Content-Security-Policy
  • Referrer-Policy

See OWASP Secure Headers for App Home URL and HTML.

Requests originating from the Zoom Client

The Zoom Client includes an OS-agnostic User-Agent header in requests it originates. This header will be as follows regardless of the environment in which the client originating the request is installed.

Mozilla/5.0 ZoomWebKit/537.36 (KHTML, like Gecko) ZoomApps/1.0

App installation

Zoom Apps can be installed in one of these three ways:

  • Local installation using the Local Test feature found in your Marketplace app configuration. This is made available to you for testing purposes.
  • From the Marketplace app listing page.
  • From the Zoom Apps listing page in the Zoom client.

To provision installation from the Marketplace and the Zoom client, you are required to provide a direct landing url in your App configuration page.

Once your app is published on the Zoom App Marketplace, a 'Visit Site to Install' button is included on your app listing page. When users click this button, they will be taken to your Direct landing URL.

This endpoint provides a way for you to intercept the request before prompting your user to login or authorize the Zoom App. It is a good opportunity for you to generate an OAuth 2.0 state parameter to use in your app's OAuth flow.

Authorization (OAuth redirect)

From your direct landing page, request the user to authorize your app. If the user chooses to authorize, Zoom will redirect the user to your app's redirect URL, along with the original state parameter and an authorization code that can be exchanged with user's OAuth token. After receiving the token, use it to generate a deep link as shown below. Optionally, you may store it in a database or cache for later use if your app will be making requests to Zoom Restful APIs on behalf of the user.

Deep link generation

After retrieving a valid access token, make a POST request to the deep link API on behalf of the user so that the app gets launched in the user's Zoom client. Depending on where the app installation was initiated from (i.e. in a meeting or in the Apps panel), the Zoom client will open the app in the proper context.

POST /v2/zoomapp/deeplink/ HTTP/1.1
Host: https://api.zoom.us
Content-Type: application/json
Authorization: Bearer <access_token>
{"action": "go"}

Note that there is a 256 character limit on the action parameter.

After you receive a deep link, redirect the user to this link to launch the app in the user's client.

App launch in the Zoom client

After redirecting the user to the deep link, the Zoom Client will attempt to launch your app's home page by making a GET request to the Home URL that you entered in the Information tab of your Zoom App.

To validate that the incoming request is from Zoom and to retrieve data such as source of app usage (in a meeting or outside a meeting), user's Zoom participant ID (uid) and meeting ID (if the app was opened during a meeting), your app must decrypt the context header of the request.

Embedded browser versions

The OS of your machine that runs the Zoom client determines the browser engine that runs the embedded browser that renders Zoom Apps.

For Windows, it's Microsoft Edge WebView2 (which uses Microsoft Edge (Chromium) as the rendering engine to display the web content in native apps) or CEF (Chromium Embedded Framework). 32-bit CEF has an absolute memory limit of 1.0 GB for Javascript. Less may be available to allocate if memory is fragmented. An allocation within Javascript of 512 MB should be achievable. 64-bit CEF has an absolute memory limit of 4.0GB for Javascript.

For Mac, it's WKWebView, tied to the version that your Safari browser uses.

For Android Zoom Rooms, the embedded browser uses the Android system's built-in Chromium WebView version. Find the version number in our Settings > About > Chromium version.