Zoom Marketplace: everything to do in Zoom (ConnectGain recording app)¶
This document lists all tasks you perform inside Zoom (and closely related items) to ship a Marketplace OAuth app that receives cloud recording events and lets ConnectGain store recordings and forward them via webhooks.
Official references (bookmark these):
- Build an app
- OAuth for Marketplace
- Event subscriptions (webhooks)
- Submit apps for review
- Security requirements for Marketplace apps
Replace placeholders:
<your-domain>— production dashboard host (e.g.https://dashboard.connectgain.cloud)<SUPABASE_PROJECT_REF>— Supabase project ref (e.g. fromhttps://<ref>.supabase.co)
Part A — Before you open Zoom¶
- Zoom account that can create developer apps (usually a paid Zoom account or developer program access as required by Zoom at signup time).
- Decide app distribution
- Public — listed in Marketplace search.
- Unlisted — only people with the install link can add it (common for B2B).
- Prepare public URLs (Zoom review typically requires these):
- Privacy policy — how you handle Zoom data, recordings, retention, subprocessors.
- Terms of use (if Zoom or your legal process requires it for listing).
- Support — support email and/or help center URL that actually works.
- Prepare branding
- App name (as it should appear on Marketplace).
- Short description (one line).
- Long description (what it does, who it is for, data use in plain language).
- Icons: use Zoom’s required sizes from the submission form (commonly multiple square assets — follow the console prompts).
Part B — Create the app in Zoom Marketplace¶
- Sign in at Zoom Marketplace.
- Go to Develop → Build App.
- Choose OAuth (General app / OAuth; naming in the UI may vary).
- Choose User-managed app (typical when each user connects their own Zoom user to your product) or account-level admin install if that matches your GTM model.
- For ConnectGain’s current flow (per-profile Zoom connection), User-managed is the usual fit.
Part C — Basic app information (App credentials / Basic Information)¶
Complete every required field Zoom shows on the first screens:
- App name
- Short description
- Company name (if requested)
- Developer contact email
You will receive:
- Client ID
- Client Secret (store only in your backend secrets — never in the frontend repo)
Copy Client ID and Client Secret into your deployment secrets (see Appendix).
Part D — OAuth configuration (in Zoom)¶
- Redirect URL for OAuth Add the exact URL your product uses after Zoom authorization. For ConnectGain scheduling integration, production is typically:
https://<your-domain>/scheduling/integrations/zoom/callback
Rules:
- Must match character-for-character what your app sends as
redirect_uriin the OAuth request. -
Add separate redirect URLs for staging / local dev if you use them.
-
Scopes — add only what you need. For this integration, align with what ConnectGain requests and what the webhook needs:
| Scope (concept) | Why Zoom reviewers care |
|---|---|
Meeting write (meeting:write, and if your app uses admin paths, meeting:write:admin) |
Create/update meetings from ConnectGain (scheduling). |
Meeting read (meeting:read) |
Read meeting metadata when handling recordings / linking. |
Recording read (recording:read) |
List/download cloud recording files after recording.completed. |
User read (user:read) |
Identify the Zoom user on OAuth callback (email, id, account). |
Important: Zoom’s UI may show granular scope names that differ slightly from legacy names. Pick the equivalents that grant:
- creating meetings for the connecting user
- reading that user’s cloud recordings / recording files
If a scope is rejected in review, adjust the app description and justification to match actual behavior.
- Save the OAuth section before leaving the page.
Part E — Event subscriptions (webhooks) — required for recordings¶
-
In the app settings, open Feature / Event Subscriptions (wording varies).
-
Turn Event Subscriptions ON.
-
Endpoint URL — set to your deployed Supabase function:
https://<SUPABASE_PROJECT_REF>.supabase.co/functions/v1/zoom-webhook
- Verification
- Zoom will send an endpoint URL validation event. Your endpoint must respond correctly (ConnectGain’s
zoom-webhookhandles this). -
After Zoom validates, keep this URL stable; changing it requires re-validation.
-
Secret Token
- Generate or set Zoom’s Secret Token for signing webhook payloads.
-
Copy the same value into your backend as
ZOOM_WEBHOOK_SECRET(must match exactly). -
Subscribe to events
-
Add
recording.completed(Recording completed / cloud recording finished processing — exact label in UI may vary). -
Optional (only if you need them later) Do not add extra events unless product requirements change; extra events increase review surface area.
Part F — Activation / Install experience (Marketplace-specific)¶
Depending on Zoom’s current app type:
-
Add URL / Visit site to install (if shown) Point users to your product’s page where they start Zoom connect (e.g. Settings → Integrations → Zoom).
-
Whitelist domains (if Zoom asks for allowed domains for OAuth or embeds) Add your production domain(s) exactly as Zoom specifies (no typos, correct
https). -
Deauthorization / compliance URLs (if requested) Provide URLs or behavior description for when a customer uninstalls the app or requests data deletion, if the form requires it.
Part G — Marketplace listing & submission materials¶
Before Submit for Review, complete every tab Zoom marks as required. Typical items:
- App listing
- Name, descriptions, category, screenshots.
-
Screenshots should show the real in-product Zoom connect flow and (if applicable) where recordings or webhooks are configured.
-
Privacy & legal
- Privacy policy URL (required in practice for approval).
-
Terms URL if required by the form.
-
Support
-
Valid support email and/or URL.
-
Security / data handling
-
Answer questionnaires honestly: you receive webhook events, may download recording files, store them in your infrastructure, and send metadata/URLs to customer-configured endpoints.
-
Demo instructions (often requested)
- Test Zoom user steps: install app → OAuth → host a meeting → cloud record → stop meeting → recording processes.
-
Note that cloud recording must be allowed on the test Zoom account and the host must actually record to the cloud.
-
Scope justification
- One short paragraph per sensitive scope: why
recording:readis required to deliver the product.
Part H — Submit, review, publish¶
- Click Submit for Review (or equivalent) in the Zoom developer console.
- Respond quickly to Zoom questions (email or ticket); delays can reset timelines.
- After approval:
- Publish as Public or Unlisted per your GTM plan.
- Post-publish
- Do not rotate Client Secret or Webhook Secret without updating Supabase env and re-validating webhooks.
- Document your install link for sales/support.
Part I — Account-side Zoom settings (host / admin — not only Marketplace)¶
These are outside the Marketplace form but required for real-world success:
- Cloud recording enabled for the Zoom account or user that hosts meetings.
- Recording downloads permitted where Zoom policy applies (otherwise API may omit
download_urlor block downloads). - Users who install the app must re-authorize if you add scopes later (plan comms and in-app “Reconnect Zoom”).
Appendix — ConnectGain backend alignment (not in Zoom UI)¶
Use this to keep Zoom configuration consistent with the repo:
| Zoom / product item | ConnectGain / Supabase |
|---|---|
| OAuth Client ID / Secret | ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET on edge functions |
| Webhook Secret Token | ZOOM_WEBHOOK_SECRET on zoom-webhook |
| User connects Zoom | zoom-oauth-url / zoom-oauth-callback, redirect path /scheduling/integrations/zoom/callback |
| Recording webhook | zoom-webhook edge function |
| Customer API delivery | Settings → Webhooks → event zoom.recording.completed |
| Storage bucket | zoom-recordings (see migration 20260317193000_create_zoom_recordings_bucket.sql) |
Shorter operational checklist: ZOOM_MARKETPLACE_PUBLISH_CHECKLIST.md
Checklist summary (copy/paste)¶
- OAuth app created (type + user-managed vs account-level decided)
- Redirect URL(s) added and match ConnectGain exactly
- Scopes added: meeting write/read, recording read, user read (or granular equivalents)
- Event subscription ON; endpoint URL points to
zoom-webhook -
recording.completedsubscribed - Secret token generated and copied to
ZOOM_WEBHOOK_SECRET - Endpoint validation succeeds in Zoom UI
- Client ID + Secret in Supabase secrets
- Listing: name, descriptions, icons, screenshots
- Privacy policy + support URLs live
- Demo path documented (OAuth → meeting → cloud record → webhook)
- Submit for review → respond to Zoom → publish (Public or Unlisted)