Skip to content

Zoom Marketplace: everything to do in Zoom (ConnectGain recording app)

This document lists all tasks you perform inside Zoom (and closely related items) to ship a Marketplace OAuth app that receives cloud recording events and lets ConnectGain store recordings and forward them via webhooks.

Official references (bookmark these):

Replace placeholders:

  • <your-domain> — production dashboard host (e.g. https://dashboard.connectgain.cloud)
  • <SUPABASE_PROJECT_REF> — Supabase project ref (e.g. from https://<ref>.supabase.co)

Part A — Before you open Zoom

  1. Zoom account that can create developer apps (usually a paid Zoom account or developer program access as required by Zoom at signup time).
  2. Decide app distribution
  3. Public — listed in Marketplace search.
  4. Unlisted — only people with the install link can add it (common for B2B).
  5. Prepare public URLs (Zoom review typically requires these):
  6. Privacy policy — how you handle Zoom data, recordings, retention, subprocessors.
  7. Terms of use (if Zoom or your legal process requires it for listing).
  8. Support — support email and/or help center URL that actually works.
  9. Prepare branding
  10. App name (as it should appear on Marketplace).
  11. Short description (one line).
  12. Long description (what it does, who it is for, data use in plain language).
  13. Icons: use Zoom’s required sizes from the submission form (commonly multiple square assets — follow the console prompts).

Part B — Create the app in Zoom Marketplace

  1. Sign in at Zoom Marketplace.
  2. Go to DevelopBuild App.
  3. Choose OAuth (General app / OAuth; naming in the UI may vary).
  4. Choose User-managed app (typical when each user connects their own Zoom user to your product) or account-level admin install if that matches your GTM model.
  5. For ConnectGain’s current flow (per-profile Zoom connection), User-managed is the usual fit.

Part C — Basic app information (App credentials / Basic Information)

Complete every required field Zoom shows on the first screens:

  • App name
  • Short description
  • Company name (if requested)
  • Developer contact email

You will receive:

  • Client ID
  • Client Secret (store only in your backend secrets — never in the frontend repo)

Copy Client ID and Client Secret into your deployment secrets (see Appendix).


Part D — OAuth configuration (in Zoom)

  1. Redirect URL for OAuth Add the exact URL your product uses after Zoom authorization. For ConnectGain scheduling integration, production is typically:

https://<your-domain>/scheduling/integrations/zoom/callback

Rules:

  • Must match character-for-character what your app sends as redirect_uri in the OAuth request.
  • Add separate redirect URLs for staging / local dev if you use them.

  • Scopes — add only what you need. For this integration, align with what ConnectGain requests and what the webhook needs:

Scope (concept) Why Zoom reviewers care
Meeting write (meeting:write, and if your app uses admin paths, meeting:write:admin) Create/update meetings from ConnectGain (scheduling).
Meeting read (meeting:read) Read meeting metadata when handling recordings / linking.
Recording read (recording:read) List/download cloud recording files after recording.completed.
User read (user:read) Identify the Zoom user on OAuth callback (email, id, account).

Important: Zoom’s UI may show granular scope names that differ slightly from legacy names. Pick the equivalents that grant:

  • creating meetings for the connecting user
  • reading that user’s cloud recordings / recording files

If a scope is rejected in review, adjust the app description and justification to match actual behavior.

  1. Save the OAuth section before leaving the page.

Part E — Event subscriptions (webhooks) — required for recordings

  1. In the app settings, open Feature / Event Subscriptions (wording varies).

  2. Turn Event Subscriptions ON.

  3. Endpoint URL — set to your deployed Supabase function:

https://<SUPABASE_PROJECT_REF>.supabase.co/functions/v1/zoom-webhook

  1. Verification
  2. Zoom will send an endpoint URL validation event. Your endpoint must respond correctly (ConnectGain’s zoom-webhook handles this).
  3. After Zoom validates, keep this URL stable; changing it requires re-validation.

  4. Secret Token

  5. Generate or set Zoom’s Secret Token for signing webhook payloads.
  6. Copy the same value into your backend as ZOOM_WEBHOOK_SECRET (must match exactly).

  7. Subscribe to events

  8. Add recording.completed (Recording completed / cloud recording finished processing — exact label in UI may vary).

  9. Optional (only if you need them later) Do not add extra events unless product requirements change; extra events increase review surface area.


Part F — Activation / Install experience (Marketplace-specific)

Depending on Zoom’s current app type:

  1. Add URL / Visit site to install (if shown) Point users to your product’s page where they start Zoom connect (e.g. Settings → Integrations → Zoom).

  2. Whitelist domains (if Zoom asks for allowed domains for OAuth or embeds) Add your production domain(s) exactly as Zoom specifies (no typos, correct https).

  3. Deauthorization / compliance URLs (if requested) Provide URLs or behavior description for when a customer uninstalls the app or requests data deletion, if the form requires it.


Part G — Marketplace listing & submission materials

Before Submit for Review, complete every tab Zoom marks as required. Typical items:

  1. App listing
  2. Name, descriptions, category, screenshots.
  3. Screenshots should show the real in-product Zoom connect flow and (if applicable) where recordings or webhooks are configured.

  4. Privacy & legal

  5. Privacy policy URL (required in practice for approval).
  6. Terms URL if required by the form.

  7. Support

  8. Valid support email and/or URL.

  9. Security / data handling

  10. Answer questionnaires honestly: you receive webhook events, may download recording files, store them in your infrastructure, and send metadata/URLs to customer-configured endpoints.

  11. Demo instructions (often requested)

  12. Test Zoom user steps: install app → OAuth → host a meeting → cloud record → stop meeting → recording processes.
  13. Note that cloud recording must be allowed on the test Zoom account and the host must actually record to the cloud.

  14. Scope justification

  15. One short paragraph per sensitive scope: why recording:read is required to deliver the product.

Part H — Submit, review, publish

  1. Click Submit for Review (or equivalent) in the Zoom developer console.
  2. Respond quickly to Zoom questions (email or ticket); delays can reset timelines.
  3. After approval:
  4. Publish as Public or Unlisted per your GTM plan.
  5. Post-publish
  6. Do not rotate Client Secret or Webhook Secret without updating Supabase env and re-validating webhooks.
  7. Document your install link for sales/support.

Part I — Account-side Zoom settings (host / admin — not only Marketplace)

These are outside the Marketplace form but required for real-world success:

  1. Cloud recording enabled for the Zoom account or user that hosts meetings.
  2. Recording downloads permitted where Zoom policy applies (otherwise API may omit download_url or block downloads).
  3. Users who install the app must re-authorize if you add scopes later (plan comms and in-app “Reconnect Zoom”).

Appendix — ConnectGain backend alignment (not in Zoom UI)

Use this to keep Zoom configuration consistent with the repo:

Zoom / product item ConnectGain / Supabase
OAuth Client ID / Secret ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET on edge functions
Webhook Secret Token ZOOM_WEBHOOK_SECRET on zoom-webhook
User connects Zoom zoom-oauth-url / zoom-oauth-callback, redirect path /scheduling/integrations/zoom/callback
Recording webhook zoom-webhook edge function
Customer API delivery Settings → Webhooks → event zoom.recording.completed
Storage bucket zoom-recordings (see migration 20260317193000_create_zoom_recordings_bucket.sql)

Shorter operational checklist: ZOOM_MARKETPLACE_PUBLISH_CHECKLIST.md


Checklist summary (copy/paste)

  • OAuth app created (type + user-managed vs account-level decided)
  • Redirect URL(s) added and match ConnectGain exactly
  • Scopes added: meeting write/read, recording read, user read (or granular equivalents)
  • Event subscription ON; endpoint URL points to zoom-webhook
  • recording.completed subscribed
  • Secret token generated and copied to ZOOM_WEBHOOK_SECRET
  • Endpoint validation succeeds in Zoom UI
  • Client ID + Secret in Supabase secrets
  • Listing: name, descriptions, icons, screenshots
  • Privacy policy + support URLs live
  • Demo path documented (OAuth → meeting → cloud record → webhook)
  • Submit for review → respond to Zoom → publish (Public or Unlisted)