Invalid authorization code with PKCE


Our OAuth flow worked prior to adding PKCE support, this is part 2 of

The redirection is followed and I have a code, so I’m now at step 2 attempting to submit the code to get an access token:

but the endpoint returns “reason”:“Invalid authorization code {code}”,“error”:“invalid_request”

Which App Type (OAuth / Chatbot / JWT / Webhook)?

Which Endpoint/s?

How To Reproduce (If applicable)
Steps to reproduce the behavior:

  1. GET{state}&code_challenge={code_challenge}&code_challenge_method=sha256&client_id={client_id}&redirect_uri={redirect_uri}

  2. Redirect / 302 to {redirect_uri}?code={code}&state={state}

  3. POST
    in body as (application/x-www-form-urlencoded):

I’ve also tried encoding all parameters in the Url (as suggested in another post), but the response is the same “Invalid authorization code”:


I’ve refined my code changes so the only differences between an oauth flow that I’ve confirmed works* and the above steps are:
Calling - add code_challenge and code_challenge_method parameters
Calling add code_verifier

*Authorization / Content-Type are correct etc

so the problem does seem to be PKCE-related?

1 Like

Hey @AJW,

Thank you for reaching out to the Zoom Developer Forum. I’m tracking an issue similar to this but based on initial information, yours seems to be a bit different.

Please send an email to with a link to this thread. In that email, please include the token URL that you’re using as well as the authorization header. I’ll use that to investigate further.