Back to TimeTuna

Zoom test plan

A step-by-step guide for Zoom Marketplace reviewers to exercise the TimeTuna Zoom integration end-to-end: connect, authorize, observe each scope in action, book a meeting, and disconnect.

For Zoom reviewers
This page is the canonical test plan submitted with our Zoom Marketplace review. If you run into any issue while following it, message us via or email pavel@timetuna.com and we will reply same business day.

1. Test account

Use the dedicated reviewer test account we have provisioned. Credentials are shared in the Marketplace submission release notes (not published here) so they are not indexed publicly. The account is a normal TimeTuna user account with no special privileges, so what you observe is identical to what every customer experiences.

2. Authorize the app

  1. Sign in to TimeTuna at https://timetuna.com/signin.
  2. In the top-right user menu, click Settings, then open the Connected providers tab.
  3. Find the Zoom row and click Connect Zoom.
  4. You are redirected to https://zoom.us/oauth/authorize. Sign in to Zoom if prompted.
  5. Zoom shows the consent screen listing the two scopes TimeTuna requests (see next section). Click Allow.
  6. Zoom redirects you back to https://timetuna.com/api/calendar-accounts/zoom/callback, and TimeTuna returns you to the Connected providers page. The Zoom row now shows your Zoom email and a Disconnect button.

3. Scopes used, and exactly when

TimeTuna uses two granular Zoom OAuth scopes. Each is called from one specific code path:

user:read:user

  • Endpoint called: GET https://api.zoom.us/v2/users/me
  • When: exactly once, immediately after the OAuth code is exchanged for a token in the callback handler.
  • Why: to read the connected account's email and display name so we can label the connection in Settings → Connected providers and so we can match the same Zoom account on subsequent reconnects.
  • Observe it: step 2 above. Watch the Connected providers row populate with your real Zoom email and name after the redirect lands.

meeting:write:meeting

  • Endpoint called: POST https://api.zoom.us/v2/users/me/meetings
  • When: once per booking, at the moment a guest confirms a booking on a booking page whose meeting type is Zoom. Never before, never on a schedule.
  • Why: to create a unique scheduled Zoom meeting for that specific booking. The join URL is then included in the guest confirmation email, the host confirmation email, and the .ics calendar invite attached to both.
  • Observe it: sections 4 and 5 below.

No other Zoom endpoints are called. We do not subscribe to Zoom webhooks (except the deauthorization endpoint Zoom itself calls, see section 6), we do not read existing meetings, recordings, contacts, or chat, and we do not change Zoom account settings.

4. Configure a booking page to use Zoom

  1. Open your dashboard at https://timetuna.com/booking-pages.
  2. Pick (or create) a booking page, then click into it.
  3. Open the Booking tab.
  4. Under Meeting type, toggle Zoom on. You can leave other meeting types on; the guest will be offered the choice.
  5. Click Save. Copy the public booking page URL from the top of the editor.

5. Take an end-to-end booking

  1. Open the public booking page URL in a fresh incognito window (so you are acting as a guest, not the signed-in host).
  2. Pick any available time slot.
  3. If multiple meeting types are enabled, choose Zoom.
  4. Fill in a guest name and a real email you can check, then submit. TimeTuna will call POST /v2/users/me/meetings in the background.
  5. You land on a confirmation page that shows the Zoom join URL. The host account's Zoom dashboard now lists this new scheduled meeting.
  6. Both the host and the guest receive a confirmation email containing the join URL and a.ics calendar invite. Opening the .ics in any calendar app shows the same Zoom link in the event location.

6. Disconnect the app

There are two paths. Both end with the stored Zoom tokens deleted from TimeTuna.

From TimeTuna

  1. Sign in to TimeTuna and open Settings → Connected providers.
  2. Click Disconnect next to Zoom. TimeTuna deletes the calendar_accounts row that holds your Zoom access and refresh tokens. The row is gone immediately and not retained.
  3. The Zoom row in Connected providers goes back to Connect Zoom.

From Zoom

  1. Sign in to zoom.us, open Apps in the left sidebar, then the Added apps tab.
  2. Find TimeTuna and click Remove, then confirm.
  3. Zoom POSTs an app_deauthorized event to TimeTuna at https://timetuna.com/api/webhooks/zoom/deauthorize. The handler verifies Zoom's signature and deletes the matching calendar_accounts row.
  4. If the data-compliance flag is set, TimeTuna POSTs the required compliance acknowledgement to https://api.zoom.us/oauth/data/compliance.
  5. Returning to TimeTuna and opening Settings → Connected providers shows the Zoom row back to Connect Zoom.

7. Data handling summary

  • What we store: Zoom access token, refresh token, expiry, the authorizing user's Zoom email and display name. Stored in a single row of the calendar_accounts table in our Supabase database.
  • How we use it: only to call the two endpoints listed in section 3, in the contexts described.
  • Retention: until either the user disconnects from TimeTuna or Zoom sends the deauthorization webhook. Both delete the row immediately.
  • No third-party sharing: Zoom tokens never leave TimeTuna's backend. They are not logged, exported, or shared with any third party.
If something looks off
Reach out before failing the review. Most surprises are caused by Zoom plan restrictions (e.g. an admin policy disabling API meeting creation) rather than TimeTuna bugs, and we can usually pinpoint the cause within minutes if you share the test account email and the timestamp.