Authorization Requests and Errors

Authorization requests and responses conform to the OAuth 2.0 framework requirements. Each authorization strategy follows a different sequence of requests and responses, depending on its requirements. The details of each may be found with the individual authorization strategy documentation.

Authorization Endpoints

There are two authorization endpoints. The authorize endpoint issues authorization tokens which may be turned into the token endpoint which issues access and refresh tokens.

Endpoint Purpose Grants authorization tokens. Issues access and refresh tokens.

Error Handling

Your application will need to handle a number of errors resulting from authorization requests. The errors returned by the authorization endpoints are different from those returned by individual API requests. The authorization endpoints support the standard as well as extended OAuth error responses.


Error responses are sent back with an HTTP error code response and a JSON payload containing the error type. Ensure that you inspect the JSON payload in order to determine why your request may have failed.

The JSON error response looks like this:

	"error": "invalid_client",
	"error_description": "Authentication error, invalid authentication method, lack of credentials, etc.",
	"error_uri": ""

Error Codes

Error Type HTTP Error Code Description
access_denied 302
Authorization has been denied by the user. This is only used in the Authorization Code authorization browser redirect.
invalid_request 400
(Bad Request)
The request is malformed. Check parameters.
invalid_client 401
Authentication error, invalid authentication method, lack of credentials, etc.
invalid_grant 400
(Bad Request)
The authorization grant, token or credentials are expired or invalid.
unauthorized_client 400
(Bad Request)
The authenticated client is not authorized to use this authorization grant type.
unsupported_grant_type 400
(Bad Request)
The authorization grant type is not supported by the authorization server.
invalid_scope 400
(Bad Request)
The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
not_supported 400
(Bad Request)
HTTP method not supported for this request.
account_locked 401
Account is temporarily locked.
account_disabled 401
Account is disabled.
authorization_pending 401
Waiting for user to authorize application.
authorization_expired 401
The authorization has expired waiting for user to authorize.
slow_down 401
Slow down polling to the requested interval.

Back To Top