My approved marketplace app is no longer allowing installation

We have an approved Marketplace App (Coda) see link. This morning users are reporting they are unable to install the app with a OAuth page “You cannot install this app”. When I head to the Marketplace Console for the app it’s listing pending approval again. There have been zero functional change in the app.

What can we do to get this working again?

Which App?
Coda -

How To Reproduce (If applicable)

  1. Try installing the app via. Coda - you’ll get an error:

Additional context

Hey @Nigel_Ellis,

Can you share your authorize link so I can debug?


Hi Tommy,

Thanks for your response. I’ve been working with developer support on this (ticket 6513070). It appears there’s been a regression in the Zoom API where any OAuth URI that contains ‘{’ or ‘}’ in the OAuth state field will choke. We use state to track the callback context for the session and currently store a JSON encoded hash in it.

Our state arg looks something like:


Which is a UriEncoded JSON.stringify value of:


connectionId: ‘…’,

requestId: ‘…’,


I’m currently working on a change to base64 encode this instead which seems to workaround the recent regression.



1 Like

Hey @Nigel_Ellis,

Correct. Our engineering team is aware of the issue and investigating this. While the team is yet to confirm the exact cause of error, upon initial review, they suspect the issue lies with this specific use of the state parameter. In the meantime they have advised that you revise the OAuth URL to not use a state parameter and it should resolve the authorization error.

For a quick resolution, if you still plan to use the state parameter you can try either of these options.

Option 1:
If possible please limit to using a single value in the state parameter.

Option 2:
Make use of the base64Encode function to encode the state parameter

The engineering team is investigating this at priority and we will keep you updated on the status. Let me know if neither of these help resolve the error you are encountering.


We need state to track which specific logical connection the final Zoom credential should be associated with. I can validate that the Zoom is choking if there are any curly braces in the state parameter. I’ve addressed the issue on our end implementing the suggested workaround and we now base64 encode our state payload avoiding the issue. It’s a cleaner solution that what we had before and will be robust for all our other providers.



Happy to hear you implemented a cleaner solution! :slight_smile: