Obuchat Assistant — Zoom Marketplace Test Plan

For Zoom Marketplace Security & Privacy review.

App type: User-managed OAuth (General app). Not a Zoom in-client / in-meeting app. Users interact via Telegram and our Mini App only.

Entry points

Test credentials

Single-user flow (one Telegram user ↔ one Zoom account). No multi-role app.

No shared Telegram password required. Reviewers use their own Telegram account. We pre-approve reviewer Telegram user IDs on request (within 24 hours).

ServiceHow reviewers access
Telegram Bot: https://t.me/PshAssistent_bot
Open the bot with your own Telegram account.
If you see an access gate: email support@obuchat.me with your Telegram user ID (Settings → Advanced — or send /start and we reply with ID). We add you to the allowlist within 24 hours.
Zoom Connect your own Zoom test account via OAuth (/zoom_auth).
Use a Zoom account with permission to host meetings. Dummy meetings are fine.

Important: OAuth on production uses Production Client ID (25bg0QtHTVyrLWzx1WQwgQ) on assistant.obuchat.me.

Reviewer steps (end-to-end)

  1. Open Home URLOpen bot in Telegram.
  2. Log in with the test Telegram account above (or your own — email support@obuchat.me with Telegram user ID for allowlist).
  3. Send /zoom_auth or Mini App → Profile → Zoom → Connect.
  4. Complete Zoom OAuth (Production). Confirm Zoom shows as connected in Profile.
  5. Run scope tests below.

OAuth scopes and test steps

All scopes below are required (not optional) in our Marketplace submission.

ScopeHow to test
user:read:user
  1. Complete OAuth as above.
  2. Mini App → Profile — Zoom shows connected name/email from Zoom profile.
user:read:token
  1. After OAuth, create an instant meeting (zoom).
  2. If auto-record is enabled, Leo can join the meeting as a bot (OBF token). Success confirms scope.
meeting:write:meeting
  1. Send zoom in the bot.
  2. Bot replies with a Zoom join URL (instant meeting).
meeting:update:meeting
  1. Create a meeting (instant or scheduled).
  2. Send: reschedule zoom to 15:00 tomorrow.
  3. Bot confirms the meeting was moved.
meeting:delete:meeting
  1. Send delete zoom for a meeting created through the bot.
  2. Bot confirms Zoom meeting removal.
cloud_recording:read:recording
  1. Mini App → Profile → Zoom — list of recent cloud recordings (if any on the test account).
  2. Used only to display recording metadata/links to the user; we do not bulk-download recordings.

Deauthorization (required)

  1. Connect Zoom as above.
  2. In Zoom: Manage → Added Apps → remove Obuchat Assistant.
  3. Our endpoint /webhook/deauthorize receives app_deauthorized and deletes stored OAuth tokens within 24 hours.
  4. In Telegram, /zoom_auth is required again before creating meetings.

Manual disconnect (in-app)

  1. Mini App → Profile → Zoom → Disconnect.
  2. Tokens are revoked at Zoom and deleted locally.

Event subscription

meeting.ended — optional post-meeting notification to the host in Telegram.

Not a Zoom in-client app

Obuchat Assistant does not run inside the Zoom desktop or mobile meeting client. There is no in-meeting UI, no Meeting surface, and no Zoom Apps SDK embed. All interaction is through Telegram chat and the web Mini App at assistant.obuchat.me.