diff --git a/httpserver/httpserver.go b/httpserver/httpserver.go
index ff4a9d5..bc61bbc 100644
--- a/httpserver/httpserver.go
+++ b/httpserver/httpserver.go
@@ -1,6 +1,7 @@
 package httpserver
 
 import (
+	"context"
 	"log"
 	"net/http"
 	"path/filepath"
@@ -24,7 +25,7 @@ func newHandler(cfg config.Config) *handler {
 			Scopes:       []string{"tweet.read", "tweet.write", "users.read", "offline.access"},
 			Endpoint: oauth2.Endpoint{
 				AuthURL:  "https://twitter.com/i/oauth2/authorize",
-				TokenURL: "https://twitter.com/i/oauth2/token",
+				TokenURL: "https://api.twitter.com/2/oauth2/token",
 			},
 		},
 	}
@@ -36,7 +37,7 @@ func (h *handler) getIndex(c echo.Context) error {
 
 func (h *handler) getLogin(c echo.Context) error {
 	url := h.oauth2Config.AuthCodeURL(
-		// TODO: implement state token
+		// TODO: implement state and code_challenge tokens
 		"state",
 		oauth2.SetAuthURLParam("code_challenge", "challenge"),
 		oauth2.SetAuthURLParam("code_challenge_method", "plain"),
@@ -45,8 +46,18 @@ func (h *handler) getLogin(c echo.Context) error {
 }
 
 func (h *handler) getCallback(c echo.Context) error {
-	log.Printf("got params = %+v", c.QueryParams())
-	return c.String(http.StatusOK, "Received response")
+	code := c.QueryParam("code")
+	if code == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "empty code")
+	}
+
+	_, err := h.oauth2Config.Exchange(context.Background(), code, oauth2.SetAuthURLParam("code_verifier", "challenge"))
+	if err != nil {
+		log.Printf("error exchanging code: %v", err)
+		return echo.NewHTTPError(http.StatusInternalServerError, "error exchanging code")
+	}
+
+	return c.String(http.StatusOK, "ok")
 }
 
 func Start(cfg config.Config) error {