# Error Responses

If the token request is invalid or the authorization code has expired/been used, the token endpoint will return an error instead of an access token. Error responses use HTTP status codes (like 400 or 401) and an HTTP reason. <br>

1. For example, if a Required parameter (ex. `client_id`) is missing:

   ```http
   HTTP/1.1 400 Bad Request
   Content-Type: text/plain; charset=utf-8
   Date: Thu, 27 Mar 2025 18:58:24 GMT
   Server: Kestrel
   Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_OTHER_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
   Transfer-Encoding: chunked
   Strict-Transport-Security: max-age=2592000
   Request-Context: appId=SOME_APP_ID

   Invalid client_id
   ```
2. Or if the provided `code` is not valid (e.g., already used or expired):

   ```http
   HTTP/1.1 400 Bad Request
   Content-Type: text/plain; charset=utf-8
   Date: Thu, 27 Mar 2025 19:17:38 GMT
   Server: Kestrel
   Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
   Transfer-Encoding: chunked
   Strict-Transport-Security: max-age=2592000
   Request-Context: appId=cid-v1:SOME_APP

   Invalid Code
   ```
3. Or if the provided Client ID isn't valid: \
   Full HTTP Response:&#x20;

   ```http
   HTTP/1.1 401 Unauthorized
   Content-Type: application/problem+json; charset=utf-8
   Date: Thu, 27 Mar 2025 19:09:27 GMT
   Server: Kestrel
   Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
   Transfer-Encoding: chunked
   Strict-Transport-Security: max-age=2592000
   Request-Context: appId=SOME_APP

   {
       "type": "https://tools.ietf.org/html/rfc9110#section-15.5.2",
       "title": "Unauthorized",
       "status": 401,
       "traceId": "00-de61877dd04ebafff7c1676b5b6e9532-5debd224217a8b45-00"
   }
   ```

   > Response Content JSON (ex...)
   >
   > ```python
   > resp = requests.post(OAUTH_TOKEN_ENDPOINT, data=data)
   > resp.json()
   > print(resp)
   > ```

   ```json
   {
       "type":"https://tools.ietf.org/html/rfc9110#section-15.5.2",
       "title":"Unauthorized",
       "status":401,
       "traceId":"00-b7704abbc12b42d34f405553b712bac7-2885ab6a78ee25ea-00"
   }
   ```
4. Or if the client\_secret is missing

   ```http
   HTTP/1.1 400 Bad Request
   Content-Type: text/plain; charset=utf-8
   Date: Thu, 27 Mar 2025 19:03:52 GMT
   Server: Kestrel
   Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
   Transfer-Encoding: chunked
   Strict-Transport-Security: max-age=2592000
   Request-Context: appId=SOME_APP_ID

   Invalid client_secret
   ```
5. Or if the client\_secret is invalid

   ```http
   HTTP/1.1 401 Unauthorized
   Content-Type: application/problem+json; charset=utf-8
   Date: Thu, 27 Mar 2025 19:22:06 GMT
   Server: Kestrel
   Set-Cookie: ARRAffinity=SOME_VALUE;Path=/;HttpOnly;Secure;Domain=demo.aicrisk.com, ARRAffinitySameSite=SOME_VALUE;Path=/;HttpOnly;SameSite=None;Secure;Domain=demo.aicrisk.com
   Transfer-Encoding: chunked
   Strict-Transport-Security: max-age=2592000
   Request-Context: appId=cid-v1:SOME_APP

   {
       "type": "https://tools.ietf.org/html/rfc9110#section-15.5.2",
       "title": "Unauthorized",
       "status": 401,
       "traceId": "00-c6bf787605465c8897a36d5957f00fb5-fd988d1c79cd27ed-00"
   }
   ```

Each error response with JSON content includes an "status\_code" code and a human-readable "reason" (Is only not JSON if entirely not passing in a necessary parameter. Even if invalid, it will return JSON decode-able content).\
The error responses without JSON content only have their status code number (ex. 404 in), the status name e.g. "Unauthorized", and the error message e.g "Invalid client\_secret".

```http
HTTP/1.1 401 Unauthorized
...
Invalid client_secret
```

Always check for an error response and handle it gracefully in your application (e.g., in your app interacting with an AIRisk instance, prompt the user to re-authenticate if the code is no longer valid).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.aicrisk.com/api-overview/airisk-api-oauth2-authentication/token-endpoint/error-responses.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.