Zoom Scheduler Explainer

Zoom Scheduler Overview

This document provides a technical overview of Zoom Scheduler, covering its architecture, data handling practices, and integration capabilities. This Explainer is designed for IT administrators, security teams, and technical decision-makers evaluating or implementing Scheduler within their organizations.

Zoom Scheduler is an appointment scheduling product designed for professionals who need to offer bookable time slots

Zoom Scheduler is an appointment scheduling product that streamlines the booking experience by letting users share their availability with people outside their organization. It's designed for professionals who need to offer bookable time slots, whether they're sales teams, recruiters, consultants, or customer success managers. Zoom Scheduler prevents the back-and-forth of finding a mutually available time.

Scheduler works with your compatible calendar service to display your availability and create events when appointments are booked. It supports several meeting modalities including one to one meetings, team schedules, and availability polling so external participants select a time that works for them.

The following diagram shows an overview of how Zoom Scheduler works:

Zoom Scheduler and Zoom Calendaring Integration serve different purposes despite using interchangeable terms

Scheduler and calendar integration serve different purposes and are sometimes confused by customers who use the terms interchangeably.

Zoom Calendaring Integration syncs calendar data across Zoom endpoints. Integrating calendar services with Zoom can be as simple or involved as your organization needs. In the case of integrating enterprise calendaring services with Zoom Workplace, that requires special access and permissions. But with Zoom Scheduler, the level of access is limited.

Zoom Scheduler allows you to create publicly viewable and bookable schedules with others within and outside your organization. It can integrate with your calendar to sync booked appointments and check your calendar for conflicts. It reads your calendar's free and busy statuses on demand and writes new events when appointments are booked. It's another layer on top of your existing calendar rather than a replacement.

You don't need Zoom Calendaring Integration enabled for Scheduler to work. Scheduler connects directly to your calendar provider through its own OAuth authorization.

Zoom Scheduler is licensed for Zoom Workplace Business, but can also be purchased as an add-on

Zoom Scheduler is a licensed product. It's included with Zoom Workplace at the Business tier and higher, or available as a standalone add-on for other plans.

What are the benefits of enabling Zoom Scheduler?

• Share availability externally without exposing calendar details: invitees see available time slots, not your event titles or descriptions

• Reduce scheduling friction by eliminating email back-and-forth to find meeting times

• Automatic conflict detection helps prevent double-booking

• Calendar events created automatically when someone books a time, with meeting details included across platforms and locations, including Zoom, Microsoft Teams, Google Meet, and on-site or in-person

• Supports multiple booking types such as All Host Available and Any Host Available for coordinated scheduling across teams

• Helps reduce no-shows and engage your customers with email and SMS automations such as reminders and follow-up emails

Which calendar providers are supported?

Zoom Scheduler is compatible with these calendar services*:

• Microsoft 365: Cloud-hosted Exchange Online calendars

• **Google Workspace:**Google Calendar

• Zoom Mail & Calendar

• Zoom Scheduler support for iCloud Calendar is currently in beta and out of scope for this article

Zoom Scheduler can be accessed via the web, Zoom Workplace, and the Zoom mobile app

Users can access Zoom Scheduler through:

• Web browser via the Zoom web portal

• Zoom Workplace application on desktop

• Zoom mobile app on iOS and Android (currently supports a limited set of read functionality)

Mobile security:

The mobile version uses the same data flow as the desktop application. The mobile app loads the Scheduler page into an authenticated webview. The webview makes all requests to Zoom servers through HTTPS. When the webview needs to call native device functions, it uses postMessage, and the native layer verifies the message origin before executing any action.

External participant access:

External participants access Scheduler through booking page links shared by the host. These links open in a web browser and don't require the participant to have a Zoom account or the Zoom Workplace application installed.

Data Handling and Security

Zoom Scheduler uses OAuth 2.0 and backend APIs to access calendar data

Zoom Scheduler accesses calendar data through OAuth 2.0 authorization:

1. The user accesses Zoom Scheduler through the web portal or Zoom application.

2. Zoom's internal services retrieve an access token from the host's calendar provider.

3. With permission granted, Scheduler can view the host's calendar availability and create or modify events.

4. When a scheduling action occurs, Scheduler makes an API request to refresh live availability from the calendar provider.

The Zoom Scheduler application doesn't connect directly to calendar services. All calendar requests flow through Zoom's backend services via APIs.

OAuth tokens are encrypted during storage, expire after an hour, and can be revoked by users

Scheduler uses standard OAuth 2.0 for calendar integration with Microsoft and Google.

Token storage:

• Access tokens are stored in Redis cache

• Refresh tokens are encrypted and stored in MongoDB

• Tokens are stored using 256-bit AES-GCM encryption

Token refresh:

Access tokens expire after approximately one hour. When a token expires and the user takes an action that requires calendar access, Zoom automatically refreshes the access token using the stored refresh token. This process is automatic and doesn't require user intervention.

Token revocation:

Users can disconnect their calendar from Scheduler at any time through the Zoom web portal, which revokes Scheduler's access. Calendar provider administrators can also revoke access through their respective admin consoles (Entra ID for Microsoft, Google Workspace Admin for Google).

What calendar information does Zoom Scheduler access?

Zoom Scheduler accesses your calendar's free/busy status to determine availability. It uses this information to display bookable time slots to participants.

For calendar events Scheduler has not created, Scheduler does not access or read:

• Event titles

• Event descriptions or body content

• Attendee lists

• Attachments

When a participant books a time, Scheduler creates a new calendar event. When a participant modifies a booking, Scheduler updates the event it created. Scheduler only manages events it has created. It doesn't modify your other calendar events.

What data does Zoom Scheduler store?

Scheduler's data storage is limited and specific.

• Booking page name, link, description, location, reminders, calendar invites, cancellation policy, attendees, and attendee questions.

• Booking responses from attendees.

• Availability polls and descriptions.

• Scheduler routing form names, descriptions, and form questions.

• Scheduler user profile picture, uploaded branding logo, and notification content.

• Scheduler delegate management information.

• Scheduler payment integration information.

Currently, Zoom Scheduler doesn't support Customer Managed Key (CMK)

Scheduler doesn't currently support Zoom Customer Managed Key for encrypting stored data. Organizations with CMK requirements should factor this into their deployment decisions.

How does Zoom Scheduler protect user privacy?

Scheduler can only function if a host grants Scheduler access to a connected calendar through OAuth authorization.

For example, if a CEO hasn't connected their calendar to Scheduler, their availability won't appear in team scheduling scenarios. Each user must individually authorize Scheduler to access their calendar.

This means:

• Users control whether their availability is visible through Scheduler

• Existing calendar permission controls remain unchanged

• No calendar data is accessible until the user explicitly connects their calendar

Booking page visibility:

Booking pages are publicly accessible via their unique URL. Users may change the visibility of booking pages for increased privacy. For example, marking them Active or Inactive. Additionally, each individual booking page has an Additional Option to "Hide from public booking page" to offer granular control of what pages appear externally or not.

Calendar availability (free/busy status) is only retrieved in real time when:

• A user creates a one-off meeting or availability poll

• A participant opens a booking link to view available times

• A participant books or modifies a time

How is data protected in transit?

All communications between Zoom services and calendar providers are encrypted using TLS 1.2.

Zoom Scheduler users the standard Zoom port 443 connection and has no other special network requirements

Scheduler has no special firewall or network requirements beyond standard Zoom access. All connections use HTTPS on port 443. Refer to Zoom's general network and firewall documentation for baseline requirements.

Provider-Specific Details

Zoom Scheduler is compatible with the following calendar services and integrations.

Zoom Scheduler works with various, common calendar service providers

As mentioned above, Zoom Scheduler can connect to the following services for reading availability and creating events:

• Microsoft 365: Cloud-hosted Exchange Online calendars, like Outlook Calendar

• Google Workspace: Google Calendar

• Zoom Mail & Calendar

Zoom Scheduler integrates with Microsoft 365 using a Microsoft Graph application

Scheduler uses a Microsoft Graph application called ZOOM-GRAPH to connect to user calendars. This is a user-level integration using OAuth 2.0 with delegated permissions, meaning each user authorizes access to their own calendar individually.

Scheduler does not use Application Permissions or a service account model. There's no admin-level deployment that grants calendar access on behalf of users.

What permissions does Scheduler require?

The ZOOM-GRAPH application requests the following Microsoft Graph API permissions:

How can I identify the ZOOM-GRAPH application?

The ZOOM-GRAPH application appears in your Entra ID Enterprise Applications directory after a user authorizes Scheduler. You can locate it by searching for "ZOOM-GRAPH" in the Enterprise Applications list.

Zoom Scheduler integrates with Google Calendar using OAuth 2.0

Scheduler connects to Google Calendar using OAuth 2.0 with user-level authorization.

For Google Workspace calendar users, the following permissions are required:

Zoom Scheduler can create the meetings for various meeting platforms

When an appointment is booked, Scheduler can create meetings on these platforms:

• Zoom Meetings

• Google Meet

• Microsoft Teams

Third-party integrations offer additional scheduling functionality

Scheduler can connect with the following services for extended functionality:

• Stripe: Payment collection for bookings

• Zapier: Workflow automation

• Salesforce: Syncs scheduled events to Salesforce

Appendix

Zoom Scheduler sends SMS notifications through Twilio with built-in content safeguards

Zoom Scheduler uses Twilio, a third-party cloud communications platform, to deliver SMS notifications to attendees. Messages are sent from a pool of phone numbers managed by Zoom.

Message processing and safeguards

Before delivery, Zoom processes all SMS notifications through internal safety, spam, and phishing filters. Additionally, Zoom uses AI-based detection to prevent users from adding sensitive information to SMS notification templates. Twilio may apply additional filtering and block messages it deems as spam. Zoom may disable SMS functionality for accounts with high rates of detected spam or policy violations.

Attendee consent and controls

Attendees must opt in to receiving SMS notifications at the time of booking. Attendees can manage their SMS preferences by replying to any Scheduler SMS message:

• STOP — Opt out of text messages

• START — Opt back in to text messages

• HELP — Receive help information

Replies must be sent to the same number the attendee received the message from.

Zoom Scheduler notifications are offered through email or push via the Zoom mobile app

Scheduler delivers booking confirmations and reminders through:

• Email: Confirmation and reminder emails to both hosts and participants

• Push notifications: Mobile app notifications for hosts with the Zoom mobile app installed

• SMS via Twilio.

Zoom Scheduler is available through US and EU clusters

Zoom Scheduler is currently generally available to Zoom customers hosted on Zoom’s United States-based cluster and regionally within Zoom’s European-based cluster.

Organizations hosted on other clusters should confirm availability with their Zoom account team.

Current limitations

The following features are not currently supported:

• SSO or password protection for booking pages: Booking pages are publicly accessible via their unique URL

• Attachments on booking invitations: There is no way to add attachments to booking page invites

• Customer Managed Key (CMK): Scheduler does not support CMK for encrypting stored data

• Admin-level calendar deployment: Each user must individually connect their calendar; admins cannot grant access on behalf of users

• Exchange Server on-premises support: Only cloud-hosted calendar providers are supported

• SMS message length: Text messages are limited to 180 characters

• No URLs in SMS: Messages containing links are blocked and will not be delivered

• SMS disabled for large events: SMS workflows are not sent for events with more than 100 registered attendees

• International SMS delivery: Some phone carriers in certain countries have strict filters that may block messages

Related resources

• Zoom Scheduler Product Page

• Zoom Scheduler Support Documentation

• Zoom Calendaring Integration Explainer

• Network and Firewall Requirements for Zoom