[Example] 180 — Zoom Cloud Recording Transcription (Node.js)

[github-actions]

New example: Zoom Cloud Recording Transcription (Node.js)

Integration: Zoom | Language: Node.js | Products: STT (pre-recorded)

What this shows

A Node.js/Express server that receives Zoom recording.completed webhook events, authenticates with Zoom Server-to-Server OAuth to download the recording, and transcribes it using Deepgram nova-3 with speaker diarization and smart formatting. Includes webhook signature validation and the Zoom endpoint URL validation handshake.

Required secrets

Variable	Purpose
DEEPGRAM_API_KEY	Deepgram STT
ZOOM_ACCOUNT_ID	Zoom S2S OAuth
ZOOM_CLIENT_ID	Zoom S2S OAuth
ZOOM_CLIENT_SECRET	Zoom S2S OAuth
ZOOM_WEBHOOK_SECRET_TOKEN	Webhook signature validation

---

Built by Engineer on 2026-04-01

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

✓ Pass — Zoom integration is genuine:

• Zoom Server-to-Server OAuth is implemented: fetch('https://zoom.us/oauth/token?grant_type=account_credentials&account_id=...') with Basic auth
• Webhook signature validation uses crypto.createHmac('sha256', ZOOM_WEBHOOK_SECRET_TOKEN) — matches Zoom's documented verification flow
• Zoom URL validation handshake (endpoint.url_validation) is correctly handled
• Recording download uses audioFile.download_url with OAuth access token
• .env.example lists ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_WEBHOOK_SECRET_TOKEN — all real Zoom credentials
• Tests make real API calls to both Deepgram (pre-recorded STT) and Zoom (OAuth token retrieval)

Code quality

• ✓ Official Deepgram SDK used (@deepgram/sdk v5 — deepgram.listen.v1.media.transcribeFile)
• ✓ No hardcoded credentials
• ✓ Error handling: env var validation at startup, try/catch around recording processing, HTTP error checks
• ✓ Webhook signature verification is correctly implemented
• ✓ Prefers audio_only recording type for efficiency

Documentation

• ✓ README describes concrete end result (auto-transcribe Zoom recordings)
• ✓ All env vars documented with where-to-find links (Zoom Marketplace, Deepgram console)
• ✓ Key parameters table present
• ✓ Zoom app setup instructions are detailed and step-by-step
• ✓ "How it works" covers the full flow from webhook to transcript

Tests

• ✓ Credential check runs first, exits code 2 for missing creds
• ✓ Test 1: Real Deepgram API call with transcribeUrl — verifies STT works
• ✓ Test 2: Real Zoom OAuth token retrieval — verifies Zoom credentials work
• ✓ Test 3: Webhook HMAC validation logic test
• ✓ Assertions verify meaningful content (transcript keywords, token presence)

Conventions

• ✓ .env.example present and complete (5 variables)
• ✓ Directory named 180-zoom-recording-transcription-node — correct numbering
• ✓ PR title format correct: [Example] 180 — Zoom Cloud Recording Transcription (Node.js)
• ✓ Metadata block present in PR body

Minor note

• The test uses transcribeUrl (camelCase) while the server uses transcribeFile — both are valid SDK v5 methods for different input types (URL vs buffer). This is fine since they test different aspects.

---

✓ All checks pass. Marking review passed.

---

Review by Lead on 2026-04-01

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

✓ Pass — Zoom integration is real and comprehensive:

• Zoom Server-to-Server OAuth: authenticates with ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET against https://zoom.us/oauth/token
• Webhook signature validation: HMAC-SHA256 using ZOOM_WEBHOOK_SECRET_TOKEN to verify requests from Zoom
• Zoom URL validation handshake: handles endpoint.url_validation event correctly
• Downloads recordings via Zoom's authenticated download URL
• .env.example lists all 5 required credentials (4 Zoom + 1 Deepgram)
• Test makes real Zoom OAuth call and real Deepgram STT call

Code quality

• ✓ Official Deepgram SDK (@deepgram/sdk ^5.0.0)
• ✓ No hardcoded credentials
• ✓ Error handling: env var validation at startup, webhook signature rejection, try/catch around recording processing
• ✓ Security: webhook signature validation before processing any payload
• ✓ Prefers audio_only recording files for efficiency

Documentation

• ✓ README describes what you'll build (webhook server for auto-transcribing Zoom recordings)
• ✓ All env vars documented with where-to-find links (Zoom Marketplace, Deepgram console)
• ✓ Key parameters table present
• ✓ Zoom app setup instructions included (scopes, event subscriptions)
• ✓ Run instructions complete including tunnel suggestion for webhook testing

Tests

• ✓ Credential check runs first, exits 2 for missing creds
• ✓ Test 1: Real Deepgram pre-recorded STT with content validation
• ✓ Test 2: Real Zoom OAuth token retrieval
• ✓ Test 3: Webhook HMAC validation logic
• ✓ Tests assert meaningful results (transcript content, token presence, hash format)

Conventions

• ✓ .env.example present and complete (5 variables)
• ✓ Directory: 180-zoom-recording-transcription-node ✓
• ✓ PR title: [Example] 180 — Zoom Cloud Recording Transcription (Node.js) ✓
• ✓ Metadata block present

---

✓ All checks pass. Marking review passed.

---

Review by Lead on 2026-04-01

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

Pass — Zoom integration is genuine:

• Makes real Zoom Server-to-Server OAuth calls (https://zoom.us/oauth/token)
• Downloads recordings via Zoom API with OAuth bearer token
• Validates Zoom webhook signatures using HMAC-SHA256 with ZOOM_WEBHOOK_SECRET_TOKEN
• Handles Zoom endpoint.url_validation handshake
• .env.example lists all Zoom credentials: ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_WEBHOOK_SECRET_TOKEN
• Test makes real Zoom OAuth token retrieval call

Code quality

• ✅ Official Deepgram SDK used (@deepgram/sdk v5)
• ✅ No hardcoded credentials
• ✅ Webhook signature validation (security best practice)
• ✅ Good error handling — try/catch around recording processing, OAuth error reporting

Documentation

• ✅ README describes concrete end result (auto-transcribe Zoom recordings)
• ✅ All env vars documented with where-to-find links
• ✅ Key parameters table present
• ✅ Zoom app setup instructions included
• ✅ Run instructions are exact and complete

Tests

• ✅ Credential check runs first, exits 2 for missing credentials
• ✅ Test 1: Real Deepgram pre-recorded STT call
• ✅ Test 2: Real Zoom OAuth token retrieval
• ✅ Test 3: Webhook HMAC validation logic
• ✅ Tests assert meaningful content (transcript keywords, valid access token)

Conventions

• ✅ .env.example present and complete
• ✅ Directory named 180-zoom-recording-transcription-node
• ✅ PR title format correct
• ✅ Metadata block present in PR body

---

✓ All checks pass. Marking review passed.

---

Review by Lead on 2026-04-01

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

Pass — Zoom integration is real and substantive:

• Real Zoom Server-to-Server OAuth implementation (zoom.us/oauth/token with account_credentials grant)
• Webhook signature validation using ZOOM_WEBHOOK_SECRET_TOKEN with HMAC-SHA256
• Zoom endpoint URL validation handshake (endpoint.url_validation event handling)
• Recording download via Zoom API with OAuth access token
• .env.example lists all Zoom credentials: ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_WEBHOOK_SECRET_TOKEN
• Tests make real Zoom OAuth token retrieval and real Deepgram STT calls

Code quality

• ✓ Official Deepgram SDK used (@deepgram/sdk with transcribeFile)
• ✓ No hardcoded credentials
• ✓ Good error handling — env var checks, OAuth error handling, download error handling
• ✓ Webhook signature validation prevents unauthorized requests
• ✓ Prefers audio_only recording files for efficiency

Documentation

• ✓ README describes concrete end result (auto-transcribe Zoom recordings)
• ✓ All env vars documented with where-to-find links
• ✓ Key parameters table present
• ✓ Run instructions are exact and complete
• ✓ Zoom app setup instructions included
• ✓ "How it works" section explains the full webhook→download→transcribe pipeline

Tests

• ✓ Credential check runs first with exit code 2 for missing credentials
• ✓ Real Deepgram API call with meaningful content assertions
• ✓ Real Zoom OAuth token retrieval
• ✓ Webhook HMAC validation logic tested

Conventions

• ✓ .env.example present and complete
• ✓ Directory named 180-zoom-recording-transcription-node — correct
• ✓ PR title format correct
• ✓ Metadata block present in PR body

---

✓ All checks pass. Marking review passed.

---

Review by Lead on 2026-04-01

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

Pass — Zoom integration is genuine:

• Zoom Server-to-Server OAuth implemented (fetch to zoom.us/oauth/token with account_credentials grant)
• Zoom webhook handling with HMAC signature verification (x-zm-signature)
• Zoom endpoint URL validation handshake (endpoint.url_validation) handled
• Recording download via Zoom API with OAuth access token
• .env.example lists all Zoom credentials: ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_WEBHOOK_SECRET_TOKEN

Code quality

• ✓ Official Deepgram SDK used (DeepgramClient, listen.v1.media.transcribeFile)
• ✓ No hardcoded credentials
• ✓ Webhook signature verification is correct (HMAC-SHA256)
• ✓ Prefers audio-only recording files for faster transcription

Documentation

• ✓ README describes concrete end result (webhook → download → transcribe pipeline)
• ✓ All env vars documented with where-to-find links
• ✓ Key parameters table present
• ✓ Zoom app setup instructions included

Tests

• ✓ Credential check runs first, exits 2
• ✓ Real Deepgram STT call with known audio
• ✓ Real Zoom OAuth token retrieval
• ✓ Webhook HMAC validation logic tested

---

✓ All checks pass. Marking review passed.

---

Review by Lead on 2026-04-01

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

Pass. This example genuinely integrates with Zoom:

• Zoom Server-to-Server OAuth implemented: getZoomAccessToken() calls https://zoom.us/oauth/token with account_credentials grant
• Zoom webhook validation: HMAC-SHA256 signature verification using ZOOM_WEBHOOK_SECRET_TOKEN
• Zoom endpoint URL validation handshake: handles endpoint.url_validation event with challenge/response
• Recording download: fetches recording audio from Zoom's download URL with OAuth token
• .env.example lists 4 Zoom credentials: ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_WEBHOOK_SECRET_TOKEN
• Test makes a real Zoom OAuth token retrieval call (Test 2)

Code quality

• Official Deepgram SDK used (@deepgram/sdk via DeepgramClient)
• No hardcoded credentials
• Good error handling: env var validation at startup, webhook signature verification, OAuth error checking
• Clean separation: webhook handler, OAuth, recording processor

Documentation

• README describes concrete end result (auto-transcribe Zoom recordings)
• All 5 env vars documented with where-to-find links
• Key parameters table present
• Zoom app setup instructions included (5-step guide)
• "How it works" section clearly explains the 8-step flow

Tests

• Credential check runs first, exits code 2 for missing creds
• Test 1: Real Deepgram pre-recorded STT with transcribeUrl — meaningful assertions on transcript content
• Test 2: Real Zoom OAuth token retrieval — validates actual credentials work
• Test 3: Webhook HMAC validation logic — verifies crypto works correctly

Conventions

• .env.example present and complete (5 variables)
• Directory named 180-zoom-recording-transcription-node — correct
• PR title format correct: [Example] 180 — Zoom Cloud Recording Transcription (Node.js)
• Metadata block present in PR body

---

Review by Lead on 2026-04-01

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

✓ Pass — Zoom integration is genuine:

• Real Zoom Server-to-Server OAuth implementation (getZoomAccessToken() calls https://zoom.us/oauth/token)
• Webhook signature validation using HMAC-SHA256 with ZOOM_WEBHOOK_SECRET_TOKEN
• Zoom endpoint URL validation handshake (endpoint.url_validation event handling)
• Recording download via Zoom API with OAuth token
• .env.example lists 4 Zoom-specific credentials (ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_WEBHOOK_SECRET_TOKEN)
• Test makes a real Zoom OAuth token retrieval call and real Deepgram STT call

Code quality

• ✓ Official Deepgram SDK used (DeepgramClient + listen.v1.media.transcribeFile)
• ✓ No hardcoded credentials
• ✓ Good error handling — required env vars checked at startup, OAuth errors surfaced
• ✓ Comments explain WHY (e.g., "Prefer audio_only files — smaller and faster to transcribe")
• ✓ Webhook signature verification is correct — follows Zoom's documented format

Documentation

• ✓ README describes concrete end result (auto-transcribe Zoom recordings)
• ✓ All env vars documented with where-to-find links
• ✓ Key parameters table present
• ✓ Run instructions include tunnel setup for webhooks
• ✓ Zoom app setup instructions are thorough

Tests

• ✓ Credential check runs first, exits 2 for missing creds
• ✓ Test 1: Real Deepgram STT call with transcript content verification
• ✓ Test 2: Real Zoom OAuth token retrieval
• ✓ Test 3: Webhook HMAC validation logic
• ✓ Assertions are meaningful (checks transcript length, content, token presence)

Conventions

• ✓ .env.example present and complete (5 variables)
• ✓ Directory named 180-zoom-recording-transcription-node
• ✓ PR title format correct: [Example] 180 — Zoom Cloud Recording Transcription (Node.js)
• ✓ Metadata block present in PR body

---

✓ All checks pass. Marking review passed.

---

Review by Lead on 2026-04-01

[github-actions]

⏸ Waiting on credentials before this can auto-merge

No CI checks have run on this branch. The following secrets are needed:

• DEEPGRAM_API_KEY — Deepgram console
• ZOOM_ACCOUNT_ID — Zoom Marketplace → Server-to-Server OAuth app → App Credentials
• ZOOM_CLIENT_ID — Same app → App Credentials
• ZOOM_CLIENT_SECRET — Same app → App Credentials
• ZOOM_WEBHOOK_SECRET_TOKEN — Same app → Feature tab → Event Subscriptions → Secret Token

Add these as repository secrets and
push an empty commit to re-trigger tests. The PR stays open — it does NOT
fail, it waits.

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

Pass — Zoom Server-to-Server OAuth is implemented with real API calls (https://zoom.us/oauth/token with account_credentials grant). Webhook signature validation uses crypto.createHmac('sha256', ZOOM_WEBHOOK_SECRET_TOKEN). .env.example lists all four Zoom credentials (ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_WEBHOOK_SECRET_TOKEN). Test verifies real Zoom OAuth token retrieval.

Code quality

• ✓ Official Deepgram Node.js SDK (@deepgram/sdk ^5.0.0) used via DeepgramClient
• ✓ No hardcoded credentials
• ✓ Good error handling (env var checks, OAuth failure, download failure)
• ✓ Webhook signature validation protects against spoofed requests
• ✓ Comments explain WHY (e.g. "Zoom sends two event types here", "Prefer audio_only files — smaller and faster")

Documentation

• ✓ README describes concrete end result (auto-transcribe Zoom recordings)
• ✓ All env vars documented with where-to-find links (Zoom Marketplace paths)
• ✓ Key parameters table present
• ✓ Run instructions and Zoom app setup steps are complete

Tests

• ✓ Credential check runs FIRST (before imports)
• ✓ Exit code 2 for missing credentials
• ✓ Tests make real API calls (Deepgram STT + Zoom OAuth)
• ✓ Meaningful assertions (transcript content, token presence, HMAC generation)

---

✓ All checks pass. Marking review passed.

---

Review by Lead on 2026-04-01

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

Pass — Zoom integration is genuine. The server implements Zoom webhook signature validation (HMAC-SHA256), Zoom Server-to-Server OAuth token retrieval (https://zoom.us/oauth/token), and recording download via Zoom API. Deepgram @deepgram/sdk is used for pre-recorded STT with transcribeFile. .env.example lists all five required credentials (DEEPGRAM_API_KEY, ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_WEBHOOK_SECRET_TOKEN). Tests make real calls to both Deepgram and Zoom APIs.

Code quality

• Official Deepgram Node.js SDK used (@deepgram/sdk ^5.0.0)
• No hardcoded credentials
• Webhook signature validation present
• Error handling covers OAuth failures, download failures, missing env vars

Documentation

• README describes concrete end result (auto-transcribe Zoom recordings)
• All env vars documented with where-to-find links
• Key parameters table present
• Run instructions complete, includes Zoom app setup guide

Tests

• Credential check runs FIRST, before any imports
• Exit code 2 for missing credentials
• Tests make real API calls (Deepgram STT and Zoom OAuth)
• Meaningful assertions (transcript content, token retrieval, HMAC logic)

---

✓ All checks pass. Marking review passed.

---

Review by Lead on 2026-04-01

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

Pass. Real Zoom Server-to-Server OAuth integration: authenticates via https://zoom.us/oauth/token with account_credentials grant, downloads recordings using Zoom access tokens, validates webhook signatures using ZOOM_WEBHOOK_SECRET_TOKEN with HMAC-SHA256. .env.example lists all five required credentials (DEEPGRAM_API_KEY, ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_WEBHOOK_SECRET_TOKEN). Tests make real API calls to both Deepgram and Zoom OAuth.

Code quality

• ✅ Official Deepgram Node.js SDK (@deepgram/sdk ^5.0.0) used correctly
• ✅ DeepgramClient({ apiKey }) constructor follows SDK v5 convention
• ✅ deepgram.listen.v1.media.transcribeFile(buffer, options) is correct SDK v5 pre-recorded API
• ✅ No hardcoded credentials — all from environment
• ✅ Webhook signature validation (x-zm-signature header with HMAC-SHA256)
• ✅ Zoom endpoint URL validation handshake handled (endpoint.url_validation)
• ✅ Prefers audio_only recording files for efficiency
• ✅ Required env check at startup with clear error messages

Documentation

• ✅ README describes concrete end result (auto-transcribe Zoom recordings with speaker labels)
• ✅ All 5 env vars documented with where-to-find links
• ✅ Key parameters table present
• ✅ Run instructions complete, including Zoom app setup steps
• ✅ Zoom app setup section with required scopes and event subscriptions

Tests

• ✅ Credential check runs FIRST (lines 8-19) before any SDK imports
• ✅ Exit code 2 for missing credentials
• ✅ Test 1: Real Deepgram pre-recorded STT call with content verification
• ✅ Test 2: Real Zoom OAuth token retrieval
• ✅ Test 3: Webhook HMAC signature validation logic
• ✅ Meaningful assertions on all tests

---

✓ All checks pass. Marking review passed.

---

Review by Lead on 2026-04-01

[github-actions]

Code Review

Overall: APPROVED

Integration genuineness

Pass. Zoom integration is real and thorough:

• Server-to-Server OAuth token retrieval via https://zoom.us/oauth/token with account_credentials grant
• Webhook signature validation using ZOOM_WEBHOOK_SECRET_TOKEN with HMAC-SHA256
• Zoom endpoint.url_validation handshake handled correctly
• Recording download via authenticated Zoom URL
• .env.example lists all four Zoom credentials (ZOOM_ACCOUNT_ID, ZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET, ZOOM_WEBHOOK_SECRET_TOKEN)
• Test makes a real Zoom OAuth API call

Code quality

• ✓ Official Deepgram SDK (@deepgram/sdk ^5.0.0) with deepgram.listen.v1.media.transcribeFile()
• ✓ No hardcoded credentials — all secrets come from environment variables
• ✓ Error handling: env var validation at startup, webhook signature verification, download failure checks
• ✓ Comments explain WHY (e.g., why audio_only is preferred, why token is fetched fresh each time)

Documentation

• ✓ README describes concrete end result (server that auto-transcribes Zoom recordings)
• ✓ All 5 env vars documented with where-to-find links
• ✓ Key parameters table present
• ✓ Run instructions complete, includes Zoom app setup guide

Tests

• ✓ Credential check runs first with exit code 2 for missing credentials
• ✓ Real API calls: Deepgram pre-recorded STT and Zoom OAuth token retrieval
• ✓ Meaningful assertions: transcript content and length, token presence, HMAC output

---

✓ All checks pass. Marking review passed.

---

Review by Lead on 2026-04-01

[github-actions]

⏳ Waiting on credentials

Missing: ZOOM_ACCOUNT_ID ZOOM_CLIENT_ID ZOOM_CLIENT_SECRET ZOOM_WEBHOOK_SECRET_TOKEN

Add these as repository secrets and the next review sweep will pick this up.

[github-actions]

Code Review

Overall: APPROVED

Tests ran ✅

Test 1: Deepgram pre-recorded STT (nova-3)...
✓ Transcript received (334 chars)
✓ Expected content verified (found: spacewalk)

Test 2: Zoom OAuth token retrieval...
✓ Zoom OAuth token retrieved successfully

Test 3: Webhook signature validation logic...
✓ Webhook validation HMAC logic works

✓ All tests passed

Integration genuineness

Pass — Zoom integration is genuine:

• Real Zoom S2S OAuth call to https://zoom.us/oauth/token with account_credentials grant (server.js:88)
• Zoom webhook signature validation using x-zm-signature header (server.js:56-65)
• Zoom URL validation handshake handled (server.js:43-52)
• Recording download via Zoom OAuth access token (server.js:126-127)
• .env.example lists all 4 Zoom credentials + Deepgram key
• Test 2 makes a real Zoom OAuth token request and verifies access_token in response

Code quality

• ✓ Official Deepgram SDK v5 (@deepgram/sdk ^5.0.0) with correct DeepgramClient constructor
• ✓ No hardcoded credentials anywhere
• ✓ Credential check runs first (server.js:19-25) before SDK init (server.js:28)
• ✓ Error handling: OAuth failure, download failure, missing recording files, webhook signature rejection
• ✓ Webhook signature verification prevents unauthorized requests
• ✓ Prefers audio_only recording type for efficiency (server.js:110-112)
• ✓ Test uses exit code 2 for missing credentials (test.js:20)

Documentation

• ✓ README has "What you'll build" section
• ✓ All env vars listed with where-to-find links
• ✓ Install/run instructions included
• ✓ Zoom app setup steps documented
• ✓ .env.example complete with comments

---

✓ All checks pass. Ready for merge.

---

Review by Lead on 2026-04-01