Showing results for 
Search instead for 
Did you mean: 

Error: invalid_grant when requesting OAuth token


Good morning zoomerinos!

Hit a bit of a roadblock, and there is some discussion of this error on Google, but none of the advice worked for me. And other folks getting the issue seem to be using grant_type=refresh_token whereas I'm using grant_type=authorization_code. So I thought I'd thought I would ask for help here...


I am setting up a marketplace app with Zoom OAuth. I am able to redirect to the Zoom Authorization page just fine, and I return to my dev app just fine with an authorization `code`  in the query params.

However, when I try to the POST to, I get a 400 HTTP response with:

{"reason":"Invalid authorization code","error":"invalid_grant"}

Here's the CURL of the request that's failing:

curl \
-H 'Authorization: Basic aWxRc3VXaThUank3S3hmakdzZURpZzpyNmc5ZjRKdmw3YndOM0c3SXc3TUdiQm1pRHloZng5ZA==' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'code=DjVBukFT1o1SZSYLINJRBavYXnnWiZESQ&grant_type=authorization_code&' \


I did try:

  Manually encoding my client id/secret into base64 and checking the Authorization header matches

  Trying both the production client id/secret and the development ones

  Tried both JSON encoding and form encoding the body (currently is generated using URLSearchParams which should trigger fetch to use form encoding.

  Double checking all my redirect URIs are set properly in the App Marketplace

  Reading carefully through the portion of the docs about requesting the access token
  Getting a fresh authorization code

But I can't quite find any advice on what might be going wrong. Anyone have any ideas? Thanks!!



Welp, look's like I applied the old "the second you write it up clearly and post it publicly, you will figure out the solution" debugging technique here...


After running through the list of ideas above, I managed to get a 200 response back from Things I had missed before I got it right:

  1. Made sure I had the "Basic " prefix in the Authorization header
  2. URLEncode the body (not JSON encode)
  3. Fetch a fresh authorization code
  4. Use the development client id/secret

And some combination of all of those worked!