Zoom auth redirect: invalid Invalid authorization code


I tried to finish auth workflow with a auth app and got the following error. The strange part is it works for the most of time… Please see How To Reproduce session for more details.


Zoom API error: invalid_request, reason: Invalid authorization code mk1Cq8Pap6_PatCmZLwQxKCZOUJsBwojQ"

Which App Type (OAuth / Chatbot / JWT / Webhook)?

Which Endpoint/s?


How To Reproduce (If applicable)

  1. Prepare a state token with the following data:
    { "iam_user_id":"U-86dd1422-859e-4e47-ab80-4bfbd6c28755" "next_url": "www.nexturl.com" }

  2. Then I hit this URL with the above state token to start auth workflow:

  3. Then zoom redirects me back the auth redirect URL I set, which is a http endpoint:

  4. In this http endpoint, i tried to use the returned code to get an auth token but got the above error.

  5. This only happened only after I already used the same IAM_user_id to get a token before (and it worked). The auth workflow would work again if I change IAM_user_id to something else, say: fake_id

Screenshots (If applicable)

Additional context
Add any other context about the problem here.

Hey @achuo,

Have you tried passing in your state token url encoded or base 64 encoded?


Nope, will that affect the behaviour of zoom auth workflow?

Hey @achuo,

I think you are getting that error because you are passing in a json object as the state param.

Please try base64encoding the object or url encoding it so it is url safe.


Hey @tommy,

I will give it a try. Thanks for the help!

1 Like

You are welcome @achuo!

Let me know if that works! :slight_smile:


Hey @tommy

I url encoded my state token but I still got the error Error processing zoom oauth2 redirect request: the code [ibcgiRImMi_PatCmZLwQxKCZOUJsBwojQ] for exchanging OAuth token is invalid. Can you check your logs to see what happened???

It worked again (with or without url encoding state token) ONLY AFTER I fully deleted my existing token in the database… However, the database in my system only supports soft delete (by adding deleted date to a row) and this error occurred when I soft deleted my token and re-authed.

Hey @achuo,

It seems you must be using an old code.

Make sure once you get an access_token the first time, you use the refresh flow to get a new access_token, and not the original get get access token request passing in the code ibcgiRImMi_PatCmZLwQxKCZOUJsBwojQ.


Hey @tommy

Sometimes we wanna to delete an existing token to retest auth workflow. Do you think it would help if I revoke my existing token first before doing re-auth?

Hey @achuo,

Revoking should not make a difference. If you start from Step 1, going to the install / authorize URL it should work every time. :slight_smile: