Zoom SDK/API
Zoomsaas3 credentials
OAuth Access / Refresh Token
zoom-sdk-api / oauth-access-refresh-token
Zoom integrations use OAuth 2.0 access tokens to call Zoom APIs and may receive refresh tokens depending on app type. Zoom documents access_token, token_type bearer, refresh_token, expires_in, scopes, and api_url in token responses.
Looks like
patterneyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+Location
AuthorizationBearer token used for Zoom API calls
OAuth token endpoint responses containing access_token and refresh_token
ZOOM_ACCESS_TOKEN, ZOOM_REFRESH_TOKENapplication OAuth token stores linked to Zoom users or accounts
OAuth examples, local token caches, .env files, and integration config
cloud secret managers, CI/CD variables, and application secrets
OAuth callback logs, token exchange traces, and API client debug logs
Notes
Zoom access tokens expire after about one hour; refresh tokens can be used to obtain new access tokens until expiration or revocation.
OAuth / SDK Client Secret
zoom-sdk-api / client-secret
Zoom apps have a Client ID and Client Secret. Zoom documents Basic authorization using the Client ID and Client Secret for token requests and Meeting SDK JWT generation using app credentials.
Location
ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_SDK_KEY, ZOOM_SDK_SECRETAuthorizationBasic authorization header containing Base64 client_id:client_secret for token requests
OAuth backend config, Meeting SDK config, .env files, and deployment manifests
cloud secret managers, CI/CD variables, hosted app config, and Kubernetes Secrets
SDK examples, backend OAuth handlers, tests, and accidentally committed app config
token request dumps and SDK authentication troubleshooting logs
Notes
Client ID / SDK key identifiers are not sufficient by themselves; the client secret or SDK secret can authenticate the app or sign SDK JWTs.
Meeting SDK JWT / ZAK Token
zoom-sdk-api / meeting-sdk-jwt
Zoom Meeting SDKs use JWTs for authorization and Zoom Access Key (ZAK) tokens for authorizing users to start meetings or webinars. Zoom documents ZAK retrieval through a Bearer-authenticated API call.
Looks like
patterneyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+Location
/users/{userId}/token?type=zak API responses containing token
Meeting SDK app config, local development files, and generated token caches
ZOOM_MEETING_SDK_JWT, ZOOM_ZAK_TOKENSDK startMeeting/joinMeeting code, examples, and committed generated JWTs
Meeting SDK auth debug logs and API responses printed during troubleshooting
Notes
ZAK tokens can start meetings for the associated Zoom user and should be generated just before use.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.