"API hasn't passed marketplace verification"

Zoom Apps Configuration
Vue 3, Vite 2

I would like to perform OAuth2 authentication, I guess, using zoomSdk.authorize.

API hasn't passed marketplace verification.[error from web: code:40316, msg:'This api is not supported']

Troubleshooting Routes
I searched “API hasn’t passed marketplace verification” at Zoom Developer Support.

How To Reproduce

  • Create an app

  • Add the zoomapp:inmeeting scope

  • Start the app

  • Run await zoomSdk.config({ capabilities: ['shareApp'] })

  • Run await zoomSdk.authorize()


Hi Tiana.

From your post, I’d suggest two things:

First, in your marketplace.zoom.us app build flow for this app, go to the Features tab, click on ‘Add APIs’ under the Zoom App SDK widget. Make sure the authorize API is checked on AND the onAuthorized event is checked on.

Second, add these items to your capabilities list: ‘authorize’ and ‘onAuthorized’

I wouldn’t have guessed OAuth-related methods would be disabled by default, I enabled those now.

The zoomSdk.promptAuthorize now returns { message: 'Success' } although nothing else happens.

Calling zoomSdk.onAuthorized beforehand changes nothing and the callback is not fired.

Also, I would like to have a try at zoomSdk.promptAuthorize, as I would prefer to avoid the PKCE thing, but that one returns the same initial error (API hasn't passed marketplace verification) despite I added the capability.


Hi Tiana,

promtAuthorize and authorize are not substitutes for each other; they do different things.

promptAuthorize → use this when:

  1. The user status (per the getUserContext status field) is ‘unauthenticated’, which means the user is not logged in to Zoom. This will prompt the user to log in to Zoom, and the sign in will be indicated with a onMyUserContextChange event.
  2. The user status is ‘authenticated’, which means the user is logged in to Zoom, but has not ‘added’ the app. In this scenario, the method will take a user to the consent screen so they can add the app. After consenting, they will be returned to the App. Now, their user status will be ‘authorized’.

authorize → use this when:

  1. User status is ‘authorized’. This will kick off an OAuth 2.0 - based exchange. The first step is to listen for and receive an onAuthorized event. This event will include a code field; you can use this code then server-side to exchange for an access token for the Zoom Rest API.

For more info: Authentication

I understand.

The documentation you linked says :

Only PCKE method ‘plain’ is supported

The <internal> | @zoom/appssdk - v0.16.3 documentation says :

Only S256 encryption PKCE values are supported

Which one is true ?

Is it possible to avoid PKCE altogether ?

If I understand correctly :

const CODE_CHALLENGE = require('crypto').createHash('sha256').update(CODE_VERIFIER).digest('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')

For testing purposes, I set CODE_VERIFIER = 'foo' (CODE_CHALLENGE = 'LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564'), but keep getting invalid_grant.


Apologies, the Authentication docs are outdated. SHA256 is required.

I might try looking for an online tool to test your SHA256 code challenge implementation. There are many out there

Well, according to those tools (e.g. this one and that one), my code is right.

I also tried generating strings directly from those tools, and still am getting invalid_grant.

Could I please have some help regarding that matter ? Thanks

@JonStewart Hello ?.

Is your app based off our reference app? We recommend taking a look at 3rd party auth implementation within our reference app: zoomapps-advancedsample-react/controller.js at main · zoom/zoomapps-advancedsample-react · GitHub

Your code challenge looks similar, but look through this sample app and see if altering implementations help?

I’m developing an in-meeting app, so I’m using zoomSdk.authorize to get a code.

Regarding getting a token :

In the code you linked, payload is sent as application/json and client credentials are included in the payload (which returns unsupported_grant_type when testing).

While in the documentation, payload is sent as application/x-www-form-urlencoded and client credentials are sent as BasicAuth (which returns invalid_grant when testing).

So none work, but which one is supposed to ?


Hi @tianalemesle - I just tested our Reference app with authorization and it worked fine. Have you tried installing it and seeing how it works? Follow what’s currently in the Reference app, we are in the process of updating our docs so it may not be up to date.

We tested our reference app using client version 5.12.0 (9832) and the latest CDN sdk version and found no errors with the Oauth. We strongly recommend using the reference app as a reference. Can you attempt to run the reference app to see if your errors are reproducible?

Refer to this authorization page instead for Oauth within zoom apps: Authentication

Hi @tianalemesle - have you tried using plain?