400 - The state parameter must be provided


I am attempting to use the “Try It” feature on the Classic WoW Game Data API to just experiment and learn more about the API. However, after entering my Client ID and Client Secret, I encounter the error in the title. 400 - The state parameter must be provided.

I believe I have correctly set up my client correctly and have tried a number of redirect URLs. I have checked the “I do not have a service URL for this client.”

Would appreciate any help on this topic and happy to provide further information. Thank you

1 Like

which api call are you trying to use?

I also experience this when trying out the examples. My current workaround is to use the Oauth token option instead, which you can copy and paste from the output of (given you have curl installed):

curl -u {client_id}:{client_secret} -d grant_type=client_credentials https://oauth.battle.net/token
1 Like

yes you must provide a “state string” when using any token calls
" An opaque value supplied by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter should be used for preventing cross-site request forgery."
using this you just need to add state={somevalue} to the end of the authorization url

here is my example in php

     * getAuthenticationUrl
     * @param string $auth_endpoint Url of the authentication endpoint
     * @param string $redirect_uri  Redirection URI
     * @param array  $extra_parameters  Array of extra parameters like scope or state (Ex: array('scope' => null, 'state' => ''))
     * @return string URL used for authentication
    public function getAuthenticationUrl($auth_endpoint, $redirect_uri, array $extra_parameters = array())
        $parameters = array_merge(array(
            'response_type' => 'code',
            'client_id'     => $this->client_id,
			'scope'			=> 'wow.profile',
			'auth_flow'		=> 'auth_code',
            'redirect_uri'  => $redirect_uri
        ), $extra_parameters);
        return $auth_endpoint . '?' . http_build_query($parameters, null, '&');
1 Like

Sure but when using the TRY IT button on any of the routes from this page https://develop.battle.net/documentation/world-of-warcraft/game-data-apis you end up facing the error 400.

On any API documentation, the TRY IT button should be working otherwise you’re facing unnecessary hindrance for new developers.


on the dev portal you should not need to but you do have to provide a token or your keys to use them

Also getting the 400 error in the “Try now” also, was looking to develop a tool to help collecting achievements to see if it was worth my time, but run into the 400 error (using clientid + secret key) and i cant get request a token either with curl to use the try now either getting -d grant_type=client_credentials oauthbattlenet/token
{“error”:“unauthorized”,“error_description”:“Bad credentials”}

1 Like

I am also unable to get the “Try” to work when using my Client ID & Secret. I get the same error as OP. I was able to get it to work with the OAuth token option instead. I used the curl command posted above to get my token. Make sure to wrap the Client ID & Secret in quotes and remove the brackets:

curl -u "client_id:client_secret" .....

Yes the dev portal has ben having issues lately ive noticed the pages hang and take a while for click actions to work there could be issues ion the backend related to the the recent ddos attacks and possible updates happening

I got same error but it eventually worked.

You said

I am also trying out the API for the first time and trying to make some calls using the website and getting this error.
Are you saying you kept trying to make the call in the Api example docs and it eventually worked?
Can a dev confirm that the dev portal is still broken or not? Thank you!

im no dev but the portal has been hanging for me taking 3-10 seonds for me to be able to put info in any text box and the hang proc’s again on the next field on the same form so there are def issues on it i hope to see it fixed soon

tho the api doc’s are having issues the api its self does not seem to be affected

I got the same problem,

So I fixed as aour friend(Ulminia) said,

if you are trying by the Getting Started Screen to make a request an test,
on the screen of the error you can go to the link and add the state='' at the end of the string url, after the redirect_uri, thanks again Ulminia

:shamrock: UrbanDruid

I’m experiencing this error when I try to log onto the WoW Classic website.

When i follow your suggestion, i get the following error


The redirect_uri parameter must be a valid URI

just confirming, i would need to delete everything after “redirect_uri” to be <…redirect_uri=state=‘’>?

redirect uri ( or url ) is required in the auth process to get a valid return on the auth urls especially when trying to get your own token to make calls with

if the api docs are not working you may need to use a 3rd party lib to generate your calls for you at this point

depending on the language there are several you can use

I am getting the same error when trying to generate a token through the “Try It” button for any of the api calls.

I was able to generate a token using:
curl -u {client_id}:{client_secret} -d grant_type=client_credentials https://oauth.battle.net/token

however, when I use the “Try It” button with this token I get:
0 Unknown Error

Hi, I’m also getting

0 Unknown Error

Seems like the API is down? Can’t test it from the official “Try it” docs page…

Below is my basic React app, just to test access. After clicking on the link, I was redirected to the Blizzard site. My account was signed in. I approved access to my app. I was redirected by to localhost.


function App() {
  const base = "https://us.battle.net/oauth/authorize?";
  const params = new URLSearchParams({
    client_id: "YOUR _ID",
    redirect_uri: "http://localhost:8888/",
    response_type: "code",
    state: "test", // Here I added "test" instead of an empty string


  return (
      <a href={`${base}${params.toString()}`}>Login</a>

export default App;

This worked for me too, thanks!

ETA - no it didn’t :sob: it redirected me to the API page after I approved the client, and then when I did the try now button again in the new, approved tab, it requested my creds again, and then opened another 400 tab :frowning: