If the token request is invalid or the authorization code has expired/been used, the token endpoint will return an error instead of an access token. Error responses use HTTP status codes (like 400 or 401) and an HTTP reason.
For example, if a Required parameter (ex. client_id) is missing:
Copy HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Date: Thu, 27 Mar 2025 18:58:24 GMT
Server: Kestrel
Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_OTHER_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=2592000
Request-Context: appId=SOME_APP_ID
Invalid client_id Or if the provided code is not valid (e.g., already used or expired):
Copy HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Date: Thu, 27 Mar 2025 19:17:38 GMT
Server: Kestrel
Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=2592000
Request-Context: appId=cid-v1:SOME_APP
Invalid Code Or if the provided Client ID isn't valid:
Full HTTP Response:
Copy HTTP/1.1 401 Unauthorized
Content-Type: application/problem+json; charset=utf-8
Date: Thu, 27 Mar 2025 19:09:27 GMT
Server: Kestrel
Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=2592000
Request-Context: appId=SOME_APP
{
"type": "https://tools.ietf.org/html/rfc9110#section-15.5.2",
"title": "Unauthorized",
"status": 401,
"traceId": "00-de61877dd04ebafff7c1676b5b6e9532-5debd224217a8b45-00"
} Response Content JSON (ex...)
Copy resp = requests.post(OAUTH_TOKEN_ENDPOINT, data=data)
resp.json()
print(resp)
Copy {
"type":"https://tools.ietf.org/html/rfc9110#section-15.5.2",
"title":"Unauthorized",
"status":401,
"traceId":"00-b7704abbc12b42d34f405553b712bac7-2885ab6a78ee25ea-00"
} Or if the client_secret is missing
Copy HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Date: Thu, 27 Mar 2025 19:03:52 GMT
Server: Kestrel
Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=2592000
Request-Context: appId=SOME_APP_ID
Invalid client_secret Or if the client_secret is invalid
Copy HTTP/1.1 401 Unauthorized
Content-Type: application/problem+json; charset=utf-8
Date: Thu, 27 Mar 2025 19:22:06 GMT
Server: Kestrel
Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=2592000
Request-Context: appId=cid-v1:SOME_APP
{
"type": "https://tools.ietf.org/html/rfc9110#section-15.5.2",
"title": "Unauthorized",
"status": 401,
"traceId": "00-c6bf787605465c8897a36d5957f00fb5-fd988d1c79cd27ed-00"
}
Each error response with JSON content includes an "status_code" code and a human-readable "reason" (Is only not JSON if entirely not passing in a necessary parameter. Even if invalid, it will return JSON decode-able content).
The error responses without JSON content only have their status code number (ex. 404 in), the status name e.g. "Unauthorized", and the error message e.g "Invalid client_secret".
Copy HTTP/1.1 401 Unauthorized
...
Invalid client_secret Always check for an error response and handle it gracefully in your application (e.g., in your app interacting with an AIRisk instance, prompt the user to re-authenticate if the code is no longer valid).
