Error Responses

If the token request is invalid or the authorization code has expired/been used, the token endpoint will return an error instead of an access token. Error responses use HTTP status codes (like 400 or 401) and an HTTP reason.

  1. For example, if a Required parameter (ex. client_id) is missing:

    HTTP/1.1 400 Bad Request
    Content-Type: text/plain; charset=utf-8
    Date: Thu, 27 Mar 2025 18:58:24 GMT
    Server: Kestrel
    Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_OTHER_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
    Transfer-Encoding: chunked
    Strict-Transport-Security: max-age=2592000
    Request-Context: appId=SOME_APP_ID
    
    Invalid client_id
  2. Or if the provided code is not valid (e.g., already used or expired):

    HTTP/1.1 400 Bad Request
    Content-Type: text/plain; charset=utf-8
    Date: Thu, 27 Mar 2025 19:17:38 GMT
    Server: Kestrel
    Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
    Transfer-Encoding: chunked
    Strict-Transport-Security: max-age=2592000
    Request-Context: appId=cid-v1:SOME_APP
    
    Invalid Code
  3. Or if the provided Client ID isn't valid: Full HTTP Response:

    HTTP/1.1 401 Unauthorized
    Content-Type: application/problem+json; charset=utf-8
    Date: Thu, 27 Mar 2025 19:09:27 GMT
    Server: Kestrel
    Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
    Transfer-Encoding: chunked
    Strict-Transport-Security: max-age=2592000
    Request-Context: appId=SOME_APP
    
    {
        "type": "https://tools.ietf.org/html/rfc9110#section-15.5.2",
        "title": "Unauthorized",
        "status": 401,
        "traceId": "00-de61877dd04ebafff7c1676b5b6e9532-5debd224217a8b45-00"
    }

    Response Content JSON (ex...)

    resp = requests.post(OAUTH_TOKEN_ENDPOINT, data=data)
    resp.json()
    print(resp)
    {
        "type":"https://tools.ietf.org/html/rfc9110#section-15.5.2",
        "title":"Unauthorized",
        "status":401,
        "traceId":"00-b7704abbc12b42d34f405553b712bac7-2885ab6a78ee25ea-00"
    }
  4. Or if the client_secret is missing

    HTTP/1.1 400 Bad Request
    Content-Type: text/plain; charset=utf-8
    Date: Thu, 27 Mar 2025 19:03:52 GMT
    Server: Kestrel
    Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
    Transfer-Encoding: chunked
    Strict-Transport-Security: max-age=2592000
    Request-Context: appId=SOME_APP_ID
    
    Invalid client_secret
  5. Or if the client_secret is invalid

    HTTP/1.1 401 Unauthorized
    Content-Type: application/problem+json; charset=utf-8
    Date: Thu, 27 Mar 2025 19:22:06 GMT
    Server: Kestrel
    Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
    Transfer-Encoding: chunked
    Strict-Transport-Security: max-age=2592000
    Request-Context: appId=cid-v1:SOME_APP
    
    {
        "type": "https://tools.ietf.org/html/rfc9110#section-15.5.2",
        "title": "Unauthorized",
        "status": 401,
        "traceId": "00-c6bf787605465c8897a36d5957f00fb5-fd988d1c79cd27ed-00"
    }

Each error response with JSON content includes an "status_code" code and a human-readable "reason" (Is only not JSON if entirely not passing in a necessary parameter. Even if invalid, it will return JSON decode-able content). The error responses without JSON content only have their status code number (ex. 404 in), the status name e.g. "Unauthorized", and the error message e.g "Invalid client_secret".

HTTP/1.1 401 Unauthorized
...
Invalid client_secret

Always check for an error response and handle it gracefully in your application (e.g., in your app interacting with an AIRisk instance, prompt the user to re-authenticate if the code is no longer valid).

Last updated