What is a Zoom Access Key (ZAK) token?

Tl;dr: A Zoom Access Key (ZAK) Token is a short-lived credential that proves the identity of your meeting bot. You provide it to a meeting bot built with the Zoom Meeting SDK to start a meeting as the host or to join meetings that require authentication. In this article, we'll walk through what ZAKs are, why they’re important, and how to generate and use them.

If you're building a meeting bot (we’ll just say bot going forward for short) with the Zoom Meeting SDK, you've probably run into a situation where your bot gets blocked from joining certain meetings. Maybe the meeting only allows authenticated users, or you need your bot to start a meeting before anyone else arrives. This is where ZAK tokens come in.

A ZAK token is a short-lived credential created via the Zoom API that authenticates your bot as a specific Zoom user. When you provide your bot a ZAK token, Zoom validates the token and grants your bot access as if it were that user joining the meeting. A ZAK is how you tell Zoom "this bot is acting on behalf of an actual account, not some random participant trying to sneak in."

ZAK tokens are generated by, and scoped to, individual Zoom accounts. For example, I could generate a ZAK token for my account, aydin@email.com, and provide that to a meeting bot. This would tell the Zoom SDK that the bot is joining on behalf of Aydin, and that I’ve given my authorization for the bot to join.

Why you need a ZAK token

ZAK tokens have a variety of use cases, but we’ll examine three of the most common situations where a ZAK token would be required.

Use case 1: Joining meetings that require all participants to be signed in

The problem: Your bot tries to join a meeting and is immediately rejected without even making it into the waiting room. The host has enabled the "only authenticated users can join" setting, and your anonymous bot is explicitly disallowed. In practice, this is the most common reason you may need to use a ZAK token.

The solution: Create a ZAK token immediately before creating the bot, and provision it to your bot when it joins the call. Zoom checks the token, confirms it belongs to a valid Zoom account, and admits your bot as an authenticated participant.

Here's the key detail that can simplify your implementation dramatically: You don't need a ZAK token from someone on the meeting invite. To satisfy the "only authenticated users can join" requirement, you can use a ZAK token from any Zoom account. The Zoom account that generates the token doesn't have to be the host, a participant, or even someone in the same organization.

This means most developers create a single "bot" service account (e.g., meeting-bot@email.com) and use this account to generate ZAK tokens for every meeting that requires authentication. One service account is sufficient to authenticate every bot you create, even across concurrent meetings.

Zoom's "only authenticated users can join" setting just verifies that participants are signed into some Zoom account. The setting doesn't check if the participants are specifically invited or part of the organization. Your bot with a ZAK token meets this requirement.

Use case 2: Starting a meeting on behalf of the host

The problem: The host scheduled a meeting but isn't going to attend. While this situation may seem unusual, it regularly occurs in certain situations, for example a recruiter who set up an interview, or a coordinator who scheduled a team sync. In both cases, without the host present, the meeting can't start, and participants are stuck waiting.

The solution: Create a ZAK token immediately before creating the bot, and provision it to your bot when it joins the call. When your bot joins with this ZAK token, it can start the meeting as if it were the host, even if the actual host never arrives.

Note that in order to start the meeting, the ZAK token must belong to the account of the host of the meeting. Supplying a ZAK token from an arbitrary account will not work.

Use case 3: Changing the bot’s profile picture

The problem: By default, your bot appears in meetings with a generic avatar. If you want your bot to have a branded profile picture (like your company logo), there's no direct way to set it. While it is possible to change the bot’s video output using Recall.ai’s Output Media API, there is no API to change the bot’s profile picture.

The solution: Create a ZAK token immediately before creating the bot, and provision it to your bot when it joins the call. When a bot joins with a ZAK token, it will assume the profile picture of the account that generated the token. This is the only way to customize a bot's avatar.

This is one of the more niche use cases for a ZAK token, and is more of a side effect than a primary reason to implement them. However, if branding the bot's avatar is important for your use case, ZAK tokens are the only way to accomplish this.

For this approach, we recommend creating a dedicated bot service account, similar to the approach in Use Case 1. Then set the profile picture on that Zoom account to your chosen logo, and provision ZAK tokens from this account for all your bots. The display name can still be overridden with the userName parameter, but the avatar will always come from the account that generated the ZAK token.

You need to update the profile picture on the Zoom account that you are generating the ZAK token from; there's no API to change the profile picture programmatically for each meeting.

If any of the use cases above are relevant to your meeting bot implementation, the only solution is to use a ZAK token. The next step in this process is understanding how to generate ZAK tokens and use them at scale.

How to generate and use a ZAK token

Generating a ZAK token requires implementing Zoom's OAuth flow and making a few API calls. The high-level process looks like this:

Step 1: Create a Zoom OAuth app (one-time setup)
Step 2: Get an OAuth access token for the Zoom user
Step 3: Call the Zoom API to generate the ZAK token
Step 4: Pass the ZAK token to your bot when joining

The trickiest part is usually Step 2: implementing OAuth. Once you’ve figured out OAuth, generating and using ZAK tokens is straightforward.

Step 1: Creating a Zoom app

Before you can generate ZAK tokens, you need to create a Zoom OAuth app. This is a one-time setup:

Go to the Zoom App Marketplace and create a “General App”. Fill in basic app information (name, description, redirect URL) and enable the Meeting SDK. Your app can stay in development mode because you can generate ZAK tokens for your own use without publishing your app to the marketplace. If you did want to retrieve ZAK tokens for users outside of your own org, you would need to publish it to the marketplace. You’ll also want to enable the user:read:zak and user:read:token scopes in your OAuth configuration.

Your OAuth app will provide a Client ID and Client Secret. Save these: you'll need them for the OAuth flow in Step 2.

Step 2: Getting a user's OAuth access token

To get a ZAK token, you first need an OAuth access token. (Yes, you need a token to retrieve a different token!)

The OAuth access token is what gives your app permission to call Zoom's API on behalf of a user, including the API endpoint that generates ZAK tokens. Without the OAuth access token, Zoom has no way to verify that you're actually authorized to act on that user's behalf.

You can follow Zoom's OAuth 2.0 guide which shows you how to generate a refresh token and access token, where:
- The refresh token is a long-lived token to generate short-lived access tokens as-needed.
- The access token is a short-lived token (typically lasts 1 hour) used to interact with the Zoom API.

Implementation tip: If you're using a single service account for all your bots (the approach recommended in the first and third use cases), you only need to go through OAuth flow once for that service account. Store the refresh token securely and use it to generate fresh access tokens whenever needed.

Step 3: Generating a ZAK token

Once you have the user’s OAuth access token, you’ll be able to call Zoom’s Get ZAK endpoint to retrieve a ZAK token for their account:

curl -X GET \
  "https://api.zoom.us/v2/users/me/zak" \
  -H "Authorization: Bearer ZOOM_OAUTH_ACCESS_TOKEN"

This request will return a ZAK token which you can use with the Zoom Meeting SDK.

Because the ZAK token is short-lived, we recommend fetching and using ZAK tokens immediately before your bot joins each meeting.

Step 4: Providing the ZAK token to your bot

After you've obtained a ZAK token, you can initialize the Meeting SDK client to add a bot to a meeting.

When joining a meeting, you will need to call the join() function on the Meeting SDK client and pass the ZAK token to the join function's config:

// First initialize the Zoom Meeting SDK as `ZoomMtg`
ZoomMtg.join({
  sdkKey: "",
  signature: "",
  meetingNumber: "",
  userName: "Your Bot",
  password: "",
  zak: “YOUR_ZAK_TOKEN”});

See Zoom's documentation for platform-specific details on passing ZAK tokens across Web, iOS, Android, and other Meeting SDK implementations.

At this point, Zoom will authenticate your ZAK token, and your bot will enter the call while appearing as signed in to a Zoom account. It will be able to join meetings with the“only authenticated users can join” settings, start meetings, and have a custom profile picture.

Conclusion

ZAK tokens solve a specific, but important problem: they authenticate your bot as a real Zoom user, which unlocks scenarios that would otherwise be impossible. Whether you need to start meetings as the host, join authenticated-only meetings, or just give your bot a professional appearance with a custom avatar, ZAK tokens are the mechanism that makes all those outcomes possible.

If you're interested in sending bots to Zoom calls without dealing with all the complexity associated with the Zoom Meeting SDK, you might want to check out Recall.ai's Meeting Bot API for Zoom. You can get started by signing up for a self-serve account, or chat with our team to understand if Recall.ai will work for your use case.