Error Responses
If the token request is invalid or the authorization code has expired/been used, the token endpoint will return an error instead of an access token. Error responses use HTTP status codes (like 400 or 401) and an HTTP reason.
For example, if a Required parameter (ex.
client_id
) is missing:HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Date: Thu, 27 Mar 2025 18:58:24 GMT Server: Kestrel Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_OTHER_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com Transfer-Encoding: chunked Strict-Transport-Security: max-age=2592000 Request-Context: appId=SOME_APP_ID Invalid client_id
Or if the provided
code
is not valid (e.g., already used or expired):HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Date: Thu, 27 Mar 2025 19:17:38 GMT Server: Kestrel Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com Transfer-Encoding: chunked Strict-Transport-Security: max-age=2592000 Request-Context: appId=cid-v1:SOME_APP Invalid Code
Or if the provided Client ID isn't valid: Full HTTP Response:
HTTP/1.1 401 Unauthorized Content-Type: application/problem+json; charset=utf-8 Date: Thu, 27 Mar 2025 19:09:27 GMT Server: Kestrel Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com Transfer-Encoding: chunked Strict-Transport-Security: max-age=2592000 Request-Context: appId=SOME_APP { "type": "https://tools.ietf.org/html/rfc9110#section-15.5.2", "title": "Unauthorized", "status": 401, "traceId": "00-de61877dd04ebafff7c1676b5b6e9532-5debd224217a8b45-00" }
Response Content JSON (ex...)
resp = requests.post(OAUTH_TOKEN_ENDPOINT, data=data) resp.json() print(resp)
{ "type":"https://tools.ietf.org/html/rfc9110#section-15.5.2", "title":"Unauthorized", "status":401, "traceId":"00-b7704abbc12b42d34f405553b712bac7-2885ab6a78ee25ea-00" }
Or if the client_secret is missing
HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Date: Thu, 27 Mar 2025 19:03:52 GMT Server: Kestrel Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com Transfer-Encoding: chunked Strict-Transport-Security: max-age=2592000 Request-Context: appId=SOME_APP_ID Invalid client_secret
Or if the client_secret is invalid
HTTP/1.1 401 Unauthorized Content-Type: application/problem+json; charset=utf-8 Date: Thu, 27 Mar 2025 19:22:06 GMT Server: Kestrel Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com Transfer-Encoding: chunked Strict-Transport-Security: max-age=2592000 Request-Context: appId=cid-v1:SOME_APP { "type": "https://tools.ietf.org/html/rfc9110#section-15.5.2", "title": "Unauthorized", "status": 401, "traceId": "00-c6bf787605465c8897a36d5957f00fb5-fd988d1c79cd27ed-00" }
Each error response with JSON content includes an "status_code" code and a human-readable "reason" (Is only not JSON if entirely not passing in a necessary parameter. Even if invalid, it will return JSON decode-able content). The error responses without JSON content only have their status code number (ex. 404 in), the status name e.g. "Unauthorized", and the error message e.g "Invalid client_secret".
HTTP/1.1 401 Unauthorized
...
Invalid client_secret
Always check for an error response and handle it gracefully in your application (e.g., in your app interacting with an AIRisk instance, prompt the user to re-authenticate if the code is no longer valid).
Last updated