Connecting Your Zoom Account: What Happens Under the Hood

One click. No shared credentials. Here is exactly how the Zoom OAuth integration works and why your account stays secure.

The Zoom integration is one of the most-requested features we built. Here is how it works — and what we deliberately did not do.

When you click 'Connect Zoom' in your integrations dashboard, you are redirected to Zoom's own OAuth consent screen. You authorise the NextGen Commerce app to create meetings on your behalf. Zoom sends back an access token and refresh token, which we encrypt and store in your practitioner record in the database.

The tokens never appear in your browser after that point. When a client books a session, our server uses your token to call the Zoom API and generate a meeting link. The link is cached in Supabase for up to 24 hours to avoid hitting Zoom's 100-meetings-per-day limit on Basic plans.

If you disconnect your Zoom account, we delete the tokens immediately. We never store them in logs, never send them to the browser, and never use them for anything other than creating meetings for your bookings.