Zoom appssdk Authorization ({"reason":"Invalid authorization code","error":"invalid_grant"})

Zoom Apps
,
1

Hello, I am currently working on a WebApp in React, in which I am using the "@zoom/appssdk: "^0.16.34", and with that I am using the zoomSdk to handle the seamless authentication process when the user is inside the Zoom client.

These are the auth steps on the WebApp

await zoomSdk.config({ capabilities: ["authorize", "onAuthorized", "openUrl"] });

const codeChallenge = generateCodeChallenge() // base64url-encoded string 43-128 characters
await zoomSdk.authorize({ codeChallenge: codeChallenge });

zoomSdk.onAuthorized((event) => {
     console.log(" zoomSdk.onAuthorized: ", event); 

     // code:  TOKEN SENT IN AUTH REQUEST
     // redirectUri:  APP REDIRECT URI
     // result: true
     // timestamp: 1758705561

     await callZoomAuthEndpointJava({token: event.code})
});

Then I call my endpoint which will will go to https://zoom.us/oauth/token to get an access token so that I can later go to https://api.zoom.us/v2/users/me and fetch the user’s information

And these are the steps:

URL-> https://zoom.us/oauth/token?code=TOKEN&grant_type=authorization_code
Headers-> Base64(clientId + ":" + secretId)

But when i make this request I get this error: {“reason”:“Invalid authorization code”,“error”:“invalid_grant”}. I had this working until May 2025, but now I think something has changed in the oauth/token request because I can no longer get new tokens.

Has something changed in the Apps SDK in which I need to send anything else more than the code from the onAuthorizedmethod for the Zoom token endpoint, or what is the issue?

Thanks in advance!

2

Hi @Jose_Miguel
Thanks for reaching out to us.
Let me look internally into this and ask around to see if something changed on our end.

3

Thank you.

When you have more updates please let me know!

4

Hi @Jose_Miguel
Sorry for the late reply here.
Can you please try to reauthorize your app and generate a new access token?
I believe this was an intermittent issue

5

Thank you for the response.
I’ve regenerate a new client secret for my app but still have the same issue:

Bad Request 400
{
    "reason": "Invalid client_id or client_secret",
    "error": "invalid_client"
}

I was searching on Zoom Forum about similar issues and I think is the way PKCE is done. Previouslly to generate the codeChallenge I was encoding the codeVerifier in SHA256 and from what i can tell it has to be in a plain text instead of SHA256.

So this is how I am doing the auth (just with my WebApp and Postman)

// 1-> Initialize Zoom SDK
await zoomSdk.config({ capabilities: ["authorize", "onAuthorized", "openUrl"] });

// 2-> Generate PKCE codeVerifier and codeChallenge
private async generatePKCE(): Promise<{ codeVerifier: string, codeChallenge: string }> {
    // Generate code_verifier (base64url-encoded  43-128 characters)
    const array = new Uint8Array(32);
    crypto.getRandomValues(array);
    const codeVerifier = this.base64URLEncode(array);
    // For plain, code_challenge = code_verifier
    const codeChallenge = codeVerifier;
    return { codeVerifier, codeChallenge };
}

private base64URLEncode(array: Uint8Array): string {
    const base64 = btoa(String.fromCharCode(...array));
    return base64
      .replace(/\+/g, "-")
      .replace(/\//g, "_")
      .replace(/=/g, "");

// 3-> Call the authorize SDK method with the codeChallenge created
const { codeVerifier, codeChallenge } = await this.generatePKCE();
await zoomSdk.authorize({ codeChallenge: codeChallenge });

// 4-> Wait for the onAuthorized event from Zoom SDK
 zoomSdk.onAuthorized((event) => {
          console.log(" zoomSdk.onAuthorized: ", event);
         // code: TOKEN
         // redirectUri: URI
         // result: true
         // timestamp: 1759155367
});

Then I am doing the following request inside Postman:

curl --location --request POST 'https://zoom.us/oauth/token?grant_type=authorization_code&code=TOKEN&redirect_uri=URI&code_verifier=codeVerifier&Authorization=Basic Base64(ClientId:ClientSecret)' \
--header 'Content-Type: x-www-form-urlencoded' \

I’m currently encountering the same invalid_client error mentioned above. Could this be related to the authorization code exchange step, or am I possibly missing something with how the code / credentials are being handled?

Thank you once more

6

Hello @elisa.zoom. Have you got any updates regarding this issue?

Thks!

7

Hi @Jose_Miguel
I did not get a notification from this message.
Let me take a quick look and will get back to you

8

They @Jose_Miguel
This issue could be due to the way you are passing your client id and secret as a query param.
Can you please pass it as an authorization header?

Your request should look like this:

curl --location --request POST 'https://zoom.us/oauth/token?grant_type=authorization_code&code=TOKEN&redirect_uri=URI&code_verifier=codeVerifier' \
--header 'Authorization: Basic Base64(ClientId:ClientSecret)' \
--header 'Content-Type: application/x-www-form-urlencoded'
9

Hey @elisa.zoom!
That solved the issue. Thank you very much :grin:

1 Like