Error Responses

If the token request is invalid or the authorization code has expired/been used, the token endpoint will return an error instead of an access token. Error responses use HTTP status codes (like 400 or 401) and an HTTP reason.

For example, if a Required parameter (ex. client_id) is missing:

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Date: Thu, 27 Mar 2025 18:58:24 GMT
Server: Kestrel
Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_OTHER_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=2592000
Request-Context: appId=SOME_APP_ID

Invalid client_id

Or if the provided code is not valid (e.g., already used or expired):

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Date: Thu, 27 Mar 2025 19:17:38 GMT
Server: Kestrel
Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=2592000
Request-Context: appId=cid-v1:SOME_APP

Invalid Code

Or if the provided Client ID isn't valid: Full HTTP Response:

HTTP/1.1 401 Unauthorized
Content-Type: application/problem+json; charset=utf-8
Date: Thu, 27 Mar 2025 19:09:27 GMT
Server: Kestrel
Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=2592000
Request-Context: appId=SOME_APP

{
    "type": "https://tools.ietf.org/html/rfc9110#section-15.5.2",
    "title": "Unauthorized",
    "status": 401,
    "traceId": "00-de61877dd04ebafff7c1676b5b6e9532-5debd224217a8b45-00"
}

Response Content JSON (ex...)

resp = requests.post(OAUTH_TOKEN_ENDPOINT, data=data)
resp.json()
print(resp)

{
    "type":"https://tools.ietf.org/html/rfc9110#section-15.5.2",
    "title":"Unauthorized",
    "status":401,
    "traceId":"00-b7704abbc12b42d34f405553b712bac7-2885ab6a78ee25ea-00"
}

Or if the client_secret is missing

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Date: Thu, 27 Mar 2025 19:03:52 GMT
Server: Kestrel
Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=2592000
Request-Context: appId=SOME_APP_ID

Invalid client_secret

Or if the client_secret is invalid

HTTP/1.1 401 Unauthorized
Content-Type: application/problem+json; charset=utf-8
Date: Thu, 27 Mar 2025 19:22:06 GMT
Server: Kestrel
Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=2592000
Request-Context: appId=cid-v1:SOME_APP

{
    "type": "https://tools.ietf.org/html/rfc9110#section-15.5.2",
    "title": "Unauthorized",
    "status": 401,
    "traceId": "00-c6bf787605465c8897a36d5957f00fb5-fd988d1c79cd27ed-00"
}

Each error response with JSON content includes an "status_code" code and a human-readable "reason" (Is only not JSON if entirely not passing in a necessary parameter. Even if invalid, it will return JSON decode-able content). The error responses without JSON content only have their status code number (ex. 404 in), the status name e.g. "Unauthorized", and the error message e.g "Invalid client_secret".

HTTP/1.1 401 Unauthorized
...
Invalid client_secret

Always check for an error response and handle it gracefully in your application (e.g., in your app interacting with an AIRisk instance, prompt the user to re-authenticate if the code is no longer valid).

PreviousExample Token Request NextSummary of OAuth2 Authorization Flow

Last updated 10 months ago