403 error in OAuth Redirect URL occurs in Development environment when URL includes "localhost"

App Marketplace
1

In the Zoom Apps settings for the Development environment, if the domain of the OAuth Redirect URL is “localhost”, a 403 error occurs.

Until September 12, 2025, the setting was successful and OAuth login was possible.

Why is this issue now suddenly occurring?

(The documentation also states that “localhost” can be used as the domain.)

How To Reproduce

  1. Select any app from the “Created Apps” section of the App Marketplace.
  2. On the Basic Information page, enter a URL including localhost in the OAuth Redirect URL (e.g., http://localhost:3000/auth/zoom/callback ).
  3. Received the error message “The resource your were trying is forbidden.”

Thanks.

3 Likes
2

Yes, exactly, we’re hitting the same issue! This needs to be fixed ASAP as it breaks our workflow and development cycle. Developers can’t continue working on issues that involves embedded zoom (Meeting SDK).

1 Like
3

Hi @EugeneB and @t_iizuka
Thank you for reaching out to us, allow me to do a quick test and I will get back to you with an update

4

Also hitting this. It is a blocker for us.

5

Hi @Dev110 @EugeneB @t_iizuka
I’ve shared this with the right team, and we’re already looking into it.
I will keep you updated on any news I hear

6

This looks like a recent regression. Zoom’s docs say localhost/loopback are allowed for dev redirects, but your 403 with localhost since 2025-09-12 suggests a new validation rule slipped in. Quick workarounds:

  1. Use a loopback IP instead of hostname:
    http://127.0.0.1:3000/auth/zoom/callback (or [::1]) and make sure the exact scheme+host+port is in both Redirect URL and Allowlist.

  2. Use a public tunnel (e.g., ngrok / cloudflared) and put the tunnel URL in Redirect + Allowlist. Zoom’s samples recommend this for local dev.

If those work, it confirms an localhost-only check. I’d also open a ticket with Zoom dev support and link this thread so they can roll back or document the change. Similar 403/redirect allowlist issues have been reported recently.

2 Likes
7

@Jack7 Thanks for sharing these details Jack, we are currently looking into this issue

1 Like
8

Hi @t_iizuka @EugeneB @Dev110 @Jack7
This issue has been addressed and resolved.
Could you please try again and let me know if it’s working on your end now?

4 Likes
9

Our issue seems to have been resolved. Thanks Elisa and team :slight_smile:

1 Like
10

Thanks for jumping on this so quickly! :folded_hands: I just tested again using and I’m no longer getting the 403 — looks like it’s working now.

Appreciate the fast fix.

1 Like
11

Thanks for your quick response!!

I just confirmed this issue to have been resolved.

13

Sorry for the late reply.
And thank you for the workaround suggestion!!

This issue has been resolved,
but before that the only workaround was:

  1. Use a public tunnel (e.g., ngrok / cloudflared) and put the tunnel URL in Redirect + Allowlist. Zoom’s samples recommend this for local dev.
1 Like