To Restrict a Zoom API Token to Specific Users, this process involves four main stages:

1. Create a Group for your target users.
2. Create a Custom Role that can only see that group.
3. Create a Service User and assign it the new role.
4. Create a Server-to-Server OAuth App as that service user.

Step 1: Create a User Group

First, you must group the users you want the API to be able to access.

1. Sign in to the Zoom web portal as an account owner or admin.
2. In the navigation menu, go to User Management > Groups.
3. Click Add Group.
4. Give the group a name (e.g., “API-Accessible Users”) and a description.
5. Click Add.
6. Go to the Users tab (under User Management > Users), find the users you want to add, and add them to this new group.

Step 2: Create a Custom Role with a Custom Scope

This is the most critical step. You will create a new role that has admin-level permissions (like reading user data) but is scoped to only the group you just made.

1. In the navigation menu, go to User Management > Roles.
2. Click Add Role.
3. Enter a Role Name (e.g., “Restricted API Role”) and a description.
4. Click Add.
5. You will now see the permissions list for this new role. Go to the Role Settings tab.
6. Find the permissions your API will need. For example:
   • To read user data: Check the View box for Users.
   • To read meeting/webinar data: Check the View box for Dashboard.
   • To read recordings: Check the View box for Recording.
   • To read phone call logs: Check the View box for Zoom Phone (or PbxAdmin in the API).
7. Set the Scope: For each permission you checked, you must change its scope.
   • Click the Edit link in the Scope column for that permission.
   • By default, it is set to “Entire Account.”
   • Select Custom Scope.
   • In the window that appears, find and select the group you created in Step 1 (“API-Accessible Users”).
   • Click Save.
8. Your role should now show “Custom Scope” for the permissions it needs. This role can only see data for users within that specific group.

• Reference: Using role management (see section “How to change permissions for a role”)

Step 3: Create a Service User and Assign the Role

Your new, restricted role needs to be assigned to a user. It’s best practice to create a new, dedicated “service user” for this.

1. Go to User Management > Users.
2. Click Add Users and create a new user (e.g., api-service@yourcompany.com).
3. Important: This user must have the appropriate licenses to access the data you want to pull (e.g., a Zoom Phone license to pull call logs).
4. Once the user is created, find them in the user list and click Edit next to their name.
5. In the User Role dropdown, select the new role you created (“Restricted API Role”).
6. Click Save.

Step 4: Create the Server-to-Server OAuth App

Finally, you will create the API app as this new restricted user. The app’s credentials will inherit the user’s restricted scope.

1. Log out of your admin account.
2. Log in to the Zoom App Marketplace with the new service user’s credentials (e.g., api-service@yourcompany.com).
3. In the top-right, click Develop > Build an App.
4. Find the Server-to-Server OAuth app type and click Create.
5. Give your app a name (e.g., “Restricted Data App”).
6. Add Scopes: Click the Scopes tab. You must add the API scopes that match the permissions you gave the role in Step 2.
   • For user information: user:read:user, user:read:list_users:admin
   • For meetings: meeting:read:meeting, meeting:read:list_meetings:admin, report:read:admin, report:read:user:admin
   • For teams: team:read:team, team:read:list_teams:admin
   • For phone calls (if Zoom Phone is enabled): phone:read:admin,phone_call_log:read:admin, phone:read
   • Add other scopes as needed for your specific use case

More details on Roles & Permissions here and here

7. Click Continue and Activate your app.
8. You can now view your App Credentials (Account ID, Client ID, Client Secret). These are the credentials you need to share with Parable

• Reference: Create a Server-to-Server OAuth app