URGENT ### {“reason”:”Invalid authorization code ***”,”error”:”invalid_grant”}

Hello I am currently getting the error:
I am using zoomappsdk for client side
{“reason”:“Invalid authorization code [REDACTED]”,“error”:“invalid_grant”}

I used the zoomapp sdk and used the authorize and onauthorized functions on the client side to get the authorization code
{code: “###”, result: true, timestamp: ###, redirectUri: "https://###.ngrok.io/”}

Then I send the code to the backend with a code_verifier to then the server sends a post to
https://zoom.us/oauth/token” with the parameters


No Luck :frowning:
Can someone please help with this Ive been stuck on why its giving authorization code error the last two days
Heres what I am doing to run the current code challenge

async function generateCodeChallenge() {
// Generate a random string for the challenge
const challenge = await generateRandomString(64);
// Convert the challenge to a buffer
const challengeBuffer = new TextEncoder().encode(challenge);

// Encode the buffer using plain encoding
const codeChallenge = btoa(String.fromCharCode(…new Uint8Array(challengeBuffer)));

// Generate a random string for the verifier
const verifier = await generateRandomString(64);

// Convert the verifier to a buffer
const verifierBuffer = new TextEncoder().encode(verifier);

// Encode the buffer using base64
const codeVerifier = btoa(String.fromCharCode(…new Uint8Array(verifierBuffer)));

return { codeChallenge, codeVerifier };

On the backend here is what I am running for calling zoom server

const zoomtokenep = “https://zoom.us/oauth/token”;
const myappredirect = req.query.redirectUri;
if (req.query.code) {
console.log(“CODE VERIFIER”)
const zoomclientid = “Z***”
const zoomclientsec = “T***”
const auth = ‘Basic ’ + Buffer.from(zoomclientid + ‘:’ + zoomclientsec).toString(‘base64’);
var url = zoomtokenep + ‘?grant_type=authorization_code&code=’ +
req.query.code + ‘&code_verifier=’+req.query.code_verifier +’&redirect_uri=’ + myappredirect;
url: url,
headers: {
“Authorization”: auth
}, function(error, response, body) {
if (error) {
console.log("Error when getting Zoom token = " + error);
body = JSON.parse(body);
if (body.access_token) {
accessToken = body.access_token;
// Process and securely store these tokens
res.send({ output: accessToken});
} else {
console.log(“FATAL - could not get zoom token”);

} else {
console.log(“Missing code from Zoom”);

This may have to do with how the code_challenge is generated. To rule out if this is related to the code challenge generation, are you able to authorize the app without using PKCE?

Here’s an example of generating a code_challenge from a verifier:

Let me know if that helps.

thanks it is helpful for me

Great! I’m glad to hear that was helpful.

This topic was automatically closed 368 days after the last reply. New replies are no longer allowed.