# Troubleshooting Server-to-Server OAuth access tokens [Server-to-Server (S2S) OAuth apps](/docs/internal-apps/s2s-oauth/) are internal applications on the Zoom Developer Platform that allow you to programmatically access data from and about your account via Zoom Open API endpoints. While S2S OAuth apps mirror much of the functionality and use of the recently deprecated [JWT app type](/docs/internal-apps/jwt/), one significant difference that can trip some users up is how S2S access tokens are generated. In this blog post, we’ll review how to troubleshoot common user errors during the token retrieval process. ### Server-to-Server OAuth token generation error “unsupported grant type” When you see the “unsupported grant type" error, there are several possible root causes, but they are usually some iteration of the following two: **Misconception #1:** You are using the right credentials from your Server-to-Server OAuth app, but [you are following the access token request process for OAuth 2.0](/docs/integrations/oauth/#step-2-request-access-token). This is incorrect and you should reference [this documentation](/docs/internal-apps/s2s-oauth/#to-generate-an-access-token) instead. **Misconception #2:** You are following the [S2S OAuth token generation steps](/docs/internal-apps/s2s-oauth/#to-generate-an-access-token) correctly, but are using the wrong app type application credentials. We will review that scenario more in-depth below. Sometimes developers mistakenly overlook that **S2S OAuth token generation _requires_ the S2S OAuth app type**, and try to complete the process with OAuth or another app type (such as Meeting SDK or Zoom Apps) that has OAuth app credentials. Let’s reproduce this scenario. First, I grab application credentials (client id and client secret) from one of my OAuth test apps: ![Example standard OAuth app type](/img/blog/giannilatange/s2s-token-troubleshoot/s2s+unsupportedgrant.png) Then, I use my forked branch of the [Zoom Public Workspace](https://www.postman.com/zoom-developer/workspace/zoom-public-workspace/overview) on Postman to attempt S2S OAuth access token generation by making a HTTP POST request to `https://zoom.us/oauth/token?grant_type=account_credentials&account_id={account_id}`: ![S2S OAuth unsupported grant error](/img/blog/giannilatange/s2s-token-troubleshoot/s2s+unsupportedgrant.png) Despite hitting the necessary endpoint with the correct account id and including a base 64-encoded client id and client secret, I receive the “unsupported grant type” error. **To fix:** You must use the client credentials from your created S2S OAuth app. ### Server-to-Server OAuth token generation error “bad request” You may see this error when you have the correct `client_id` and `client_secret`, but the wrong or missing value for the `account_id` query parameter. For instance, if you take the account number you see under “profile” on the Zoom web portal and pass it to the token retrieval endpoint thinking it is the same as your account id: ![S2S OAuth unsupported grant error](/img/blog/giannilatange/s2s-token-troubleshoot/accountno.png) ![S2S OAuth unsupported grant error](/img/blog/giannilatange/s2s-token-troubleshoot/accountno+badreq.png) **To fix:** Find the correct account id value listed **among your application credentials** for your S2S OAuth app or by querying the [get a user](/docs/api/users/#tag/users/GET/users/{userId}) Zoom Meeting API endpoint. Then use that value when making a HTTP POST request to https://zoom.us/oauth/token?grant_type=account_credentials&account_id={account_id}. ### Server-to-Server OAuth token generation error “invalid client id or client secret” If using the Zoom Public Workspace, you may run into this error if you have both the “Authorization” and “Headers” tabs enabled with incorrect/conflicting information. This often happens when users fork the repo and forget to populate their application credentials in the collection variables, per the [workspace tips](https://www.postman.com/zoom-developer/workspace/zoom-public-workspace/overview) on the overview page. It’s easy to overlook the variables in the "Authorization" tab if you go straight to populating your base64 encoded S2S OAuth client_id:client_secret in the “Headers” tab. Unfortunately, this means when the request is sent, it will return the “invalid client id or client secret” error because the “Authorization” and “Headers” tabs are both enabled and sending conflicting information to the token retrieval server: ![S2S OAuth headers and auth tabs enabled on Postman](/img/blog/giannilatange/s2s-token-troubleshoot/s2s+postman+auth+headers.png) ![S2S OAuth headers and auth tabs enabled on Postman](/img/blog/giannilatange/s2s-token-troubleshoot/s2s+authtab+emptyvar.png) **To fix:** Use EITHER the “Authorization” tab with your populated S2S client id and secret OR the “Headers” with base64 encoded client_id:client_secret. You can also keep both “Authorization” and “Headers” tabs enabled, _but the values need to be correct in both tabs for a successful request_. ### Server-to-Server OAuth token generation error “Account does not enabled REST API” Many users have run into the following error when _seemingly_ successfully retrieving a S2S OAuth access token using Postman’s “Authorization” GUI and attempting to use that token for Zoom API endpoints. See example from the Zoom Developer Forum [here](https://devforum.zoom.us/t/200-account-does-not-enabled-rest-api/82171/5?u=gianni.zoom). _Even though this setup will return an access token_, it is not generated correctly (and therefore, invalid) because the GUI doesn’t account for `account_id` as one of the necessary query parameters that needs to be appended to the `https://zoom.us/oauth/token?` endpoint along with `grant_type=client_credentials`. For your reference, make a full comparison of how [standard OAuth access tokens](https://www.postman.com/zoom-developer/workspace/zoom-public-workspace/request/22097587-82698a23-7af5-4f3f-bf2e-a62c3eb8903d) are generated compared to [S2S OAuth access tokens](https://www.postman.com/zoom-developer/workspace/zoom-public-workspace/request/22097587-875f65b4-d88f-4082-80af-7605303a5abc). I also recommend expanding the “Documentation” button when using the Zoom Public Workspace to double check that you are using the request correctly: ![Documentation button on Postman request](/img/blog/giannilatange/s2s-token-troubleshoot/s2s+postman+docbutton.png) ![Documentation button on Postman request for S2S OAuth token retrieval](/img/blog/giannilatange/s2s-token-troubleshoot/s2s+postman+docs.png) **To fix:** Follow the correct documented procedure linked throughout for creating Server-to-Server access tokens. ## Conclusion These are the most common S2S OAuth token generation user errors we have encountered, and hope this troubleshooting guide helps build your confidence when using Server to Server OAuth apps! Additionally check out the following resources that can help further reduce user error: - [S2S OAuth app prerequisites](/docs/internal-apps/create/) - **Github sample app:** [S2S OAuth Starter App](https://github.com/zoom/server-to-server-oauth-starter-api) - **Github sample app:** [Zoom Server-to-Server OAuth Token Generation](https://github.com/zoom/server-to-server-oauth-token) - **Zoom Developer Forum:** [PHP and cURL code snippets for S2S OAuth](https://devforum.zoom.us/t/server2server-oauth-returning-code-200-message-account-does-not-enabled-rest-api/95519/6?u=gianni.zoom) - [Zoom docs code samples](/docs/internal-apps/s2s-oauth/#code-samples)