Zoom OAuth Scope Mapping

How Streamli9 uses each of the 12 Zoom OAuth scopes. Every scope is read-only.
Prepared for the Zoom Marketplace review team.

What Streamli9 Does

Streamli9 is a meeting accountability platform. When a user connects their Zoom account, Streamli9 syncs their past meetings (last 30 days), downloads text transcripts only (never audio or video), and uses AI to extract action items with owners, deadlines, and priorities. It then tracks completion, sends reminders, and manages dependencies across teams.

Important: Text Transcript Required

Streamli9 only processes text transcripts, not audio or video recordings. A meeting may have a cloud recording (audio/video) but still show no summary or action items if audio transcription was not enabled in the Zoom account's recording settings. To enable: Zoom Settings → Recording → Advanced Cloud Recording → toggle “Audio transcript” on.

User Identity

Identifies the connected Zoom account and links it to the Streamli9 user profile.

user:read:user

Purpose: Read the authenticated user's display name and Zoom account ID.

API endpoint: GET /v2/users/me

Data produced: User display name, Zoom account identifier.

Visible in app: Settings → Connected Accounts → Zoom card displays "Connected as [Name]".

user:read:email

Purpose: Read the authenticated user's email address for cross-account verification.

API endpoint: GET /v2/users/me

Data produced: Verified email address linked to the Zoom account.

Visible in app: Settings → Connected Accounts → Zoom card displays the linked email.

Meeting Discovery

Discovers past meetings so Streamli9 can sync them and extract action items.

meeting:read:meeting

Purpose: Read individual meeting metadata (title, time, duration, type).

API endpoint: GET /v2/meetings/{meetingId}

Data produced: Meeting title, scheduled start time, actual end time, duration in minutes.

Visible in app: Meetings page → each meeting card shows title, date, and duration.

meeting:read:list_meetings

Purpose: List the user's past meetings for initial sync (last 30 days).

API endpoint: GET /v2/users/me/meetings?type=past

Data produced: List of all past meetings within the sync window with UUIDs and metadata.

Visible in app: Meetings page → the full list of synced Zoom meetings.

Participants

Retrieves who attended each meeting, used for action item ownership and accountability.

meeting:read:participant

Purpose: Read participant information for a specific meeting.

API endpoint: Meeting participant data from events and API responses.

Data produced: Participant name and email (if signed into Zoom).

Visible in app: Meeting Detail → Participants section lists all attendees.

meeting:read:list_past_instances

Purpose: List individual instances of a recurring meeting series.

API endpoint: GET /v2/past_meetings/{meetingId}/instances

Data produced: Each occurrence of a recurring meeting with its own UUID and timestamp.

Visible in app: Meetings page → recurring meetings shown as separate instances with dates.

meeting:read:list_past_participants

Purpose: List all participants who joined a past meeting.

API endpoint: GET /v2/past_meetings/{meetingId}/participants

Data produced: Participant names, emails, join/leave times, duration attended.

Visible in app: Meeting Detail → Participants section. Also used to suggest action item owners.

Meeting Summary

Retrieves Zoom AI Companion summaries when available on the user's account.

meeting:read:summary

Purpose: Read the AI-generated meeting summary produced by Zoom AI Companion.

API endpoint: GET /v2/meetings/{meetingId}/meeting_summary

Data produced: Zoom's AI-generated meeting summary text (if AI Companion is enabled).

Visible in app: Meeting Detail → Summary section displays the AI-generated overview.

Cloud Recording & Transcript

Accesses cloud recording metadata to locate and download text transcripts. Streamli9 never downloads or stores audio or video files — only the text transcript.

cloud_recording:read:list_user_recordings

Purpose: List which meetings have cloud recordings available.

API endpoint: GET /v2/users/me/recordings

Data produced: Identifies meetings with recordings so Streamli9 can check for transcripts.

Visible in app: Meetings page → transcript availability indicator on meeting cards.

cloud_recording:read:list_recording_files

Purpose: List individual recording files for a meeting to find the text transcript.

API endpoint: GET /v2/meetings/{meetingId}/recordings

Data produced: List of recording files filtered to find type "audio_transcript" only.

Visible in app: Internal processing — identifies the transcript file among recording files.

cloud_recording:read:recording

Purpose: Access recording metadata including the secure download URL for the transcript file.

API endpoint: Recording metadata with signed download URLs.

Data produced: Secure, time-limited download URL for the transcript text file.

Visible in app: Internal processing — obtains the URL to download the transcript text.

cloud_recording:read:meeting_transcript

Purpose: Download the actual text transcript content from the cloud recording.

API endpoint: Transcript download URL (authenticated with Bearer token).

Data produced: Raw meeting transcript text (VTT/TXT format). Encrypted before storage.

Visible in app: Meeting Detail → full transcript text. Also processed by AI to extract action items, owners, deadlines, and priorities.

End-to-End Data Flow

Connect: User authorizes Streamli9 via Zoom OAuth. All 12 scopes granted.

Sync: Streamli9 fetches the user's past meetings (last 30 days) and creates records for each.

Participants: For each meeting, fetches the participant list. Used for action item ownership.

Transcript: Checks for cloud recordings, locates the text transcript file, and downloads it. Audio and video files are never accessed.

AI Extraction: Transcript is processed by AI (Claude Haiku) to extract action items with owners, deadlines, and priorities.

Accountability: Action items are tracked, reminders sent, dependencies managed, and status monitored via email thread integration.

Ongoing: New meetings are captured via Zoom webhooks (meeting.ended, recording.completed, recording.transcript_completed). Same pipeline runs automatically.

Security and Privacy

Read-only access

All 12 scopes are read-only. Streamli9 cannot create, modify, or delete any Zoom data.

Text transcripts only

Only text transcripts are downloaded. Audio and video recordings are never accessed, downloaded, or stored.

Encrypted storage

OAuth tokens encrypted with AES-256-GCM. Transcripts encrypted at rest before database storage.

Webhook verification

All Zoom webhook events verified with HMAC-SHA256 signature validation before processing.

Deauthorization

When a user disconnects Zoom or deauthorizes via the Zoom Marketplace, Streamli9 receives the app_deauthorized webhook event, immediately deletes the stored OAuth tokens and Zoom account link, and ceases all API calls for that user. Meeting data previously synced is retained per the user's data retention preferences and can be deleted via Settings → Privacy → Delete Account.