Bad request on In-client OAuth server side token request

  1. I generate the 32 bit code verifier client side
function generateRandomString(length) {
  var text = "";
  var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";

  for (var i = 0; i < length; i++) {
    text += possible.charAt(Math.floor(Math.random() * possible.length));

  return text;
  1. I listen for the onAuthorized event.
zoomSdk.addEventListener("onAuthorized", function(event){
        event.verifier = codeVerifier
      jsonRequest(api_url + "/client_authorize" , event, 'POST', async function (json) {
        if (json != null) {
  1. I sent a random state and codeChallenge to the zoom api (using the codeVerifier as codeChallenge as it is PKCE plain)
const result = await zoomSdk.callZoomApi("authorize", {
              "state": state,
              "codeChallenge": codeVerifier
  1. at the server side I send a tokenRequest using the unchanged code form the zoomapps-sample-js on github, (it works when I use the tranditional OAuth flow)
  2. Getting 400 bad request, does anyone know why this is a bad request?

Thank you,
Auke van Scheltinga

Tried to implement using the GitHub - zoom/zoomapps-advancedsample-react: This repository contains an Advanced Zoom Apps Sample. It should serve as a starting point for you to build and test your own Zoom App in development. (generate the challenge server side):


Getting the same result, 400 bad request.

Kind regards,
Auke van Scheltinga

It wasn’t the crypto, it turned out to be the redirectUrl. If you use the In client OAuth flow the Zoom api takes the redirectUrl to be the current url. Make sure to update your serverside tokenRequest method to use this current url as redirectUrl . In my case I was reusing the tokenRequest from the zoom app sample which uses a fixed redirect url set by an environment variable on application boot.

@auke.vanscheltinga I’m glad to hear that you were able to get this sorted out! Thanks for sharing your solution.