lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Zoom SDK/API

Zoomsaas3 credentials

Credentials3 documented
01

OAuth Access / Refresh Token

zoom-sdk-api / oauth-access-refresh-token

Zoom integrations use OAuth 2.0 access tokens to call Zoom APIs and may receive refresh tokens depending on app type. Zoom documents access_token, token_type bearer, refresh_token, expires_in, scopes, and api_url in token responses.

generated on installsecrettoken

Looks like

pattern
pattern

Zoom OAuth examples show JWT access tokens; use Bearer or token response context because no Zoom-specific prefix is documented

eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+

Location

http header
Authorization

Bearer token used for Zoom API calls

http response

OAuth token endpoint responses containing access_token and refresh_token

environment
ZOOM_ACCESS_TOKEN, ZOOM_REFRESH_TOKEN
database

application OAuth token stores linked to Zoom users or accounts

config file

OAuth examples, local token caches, .env files, and integration config

secret store

cloud secret managers, CI/CD variables, and application secrets

logs

OAuth callback logs, token exchange traces, and API client debug logs

Notes

Zoom access tokens expire after about one hour; refresh tokens can be used to obtain new access tokens until expiration or revocation.

02

OAuth / SDK Client Secret

zoom-sdk-api / client-secret

Zoom apps have a Client ID and Client Secret. Zoom documents Basic authorization using the Client ID and Client Secret for token requests and Meeting SDK JWT generation using app credentials.

generated on installsecretsecret value

Location

environment
ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_SDK_KEY, ZOOM_SDK_SECRET
http header
Authorization

Basic authorization header containing Base64 client_id:client_secret for token requests

config file

OAuth backend config, Meeting SDK config, .env files, and deployment manifests

secret store

cloud secret managers, CI/CD variables, hosted app config, and Kubernetes Secrets

source code

SDK examples, backend OAuth handlers, tests, and accidentally committed app config

logs

token request dumps and SDK authentication troubleshooting logs

Notes

Client ID / SDK key identifiers are not sufficient by themselves; the client secret or SDK secret can authenticate the app or sign SDK JWTs.

03

Meeting SDK JWT / ZAK Token

zoom-sdk-api / meeting-sdk-jwt

Zoom Meeting SDKs use JWTs for authorization and Zoom Access Key (ZAK) tokens for authorizing users to start meetings or webinars. Zoom documents ZAK retrieval through a Bearer-authenticated API call.

generated on installsecrettoken

Looks like

pattern
pattern

Zoom Meeting SDK JWT, OAuth access token, or ZAK token in JWT compact serialization

eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+

Location

http response

/users/{userId}/token?type=zak API responses containing token

config file

Meeting SDK app config, local development files, and generated token caches

environment
ZOOM_MEETING_SDK_JWT, ZOOM_ZAK_TOKEN
source code

SDK startMeeting/joinMeeting code, examples, and committed generated JWTs

logs

Meeting SDK auth debug logs and API responses printed during troubleshooting

Notes

ZAK tokens can start meetings for the associated Zoom user and should be generated just before use.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.