/oauth/token and /oauth/userinfo. Errors are JSON with error and optional error_description.
Error reference
| Error | HTTP | Endpoint | Meaning |
|---|---|---|---|
invalid_request | 400 | /oauth/token | Missing or malformed parameters |
invalid_client | 401 | /oauth/token | Wrong client_id / client_secret |
invalid_grant | 400 | /oauth/token | Code or refresh token rejected |
unsupported_grant_type | 400 | /oauth/token | Only authorization_code and refresh_token are supported |
invalid_token | 401 | /oauth/userinfo | Missing, expired, or revoked access token |
server_error | 500 | /oauth/token | Internal failure while issuing tokens |
invalid_grant — authorization code already used or expired
invalid_grant — authorization code already used or expired
invalid_grant — PKCE verification failed
invalid_grant — PKCE verification failed
The Common causes:
code_verifier sent to /oauth/token must satisfy:- Opening a sample authorize URL from the Developer Portal instead of starting login in your app
- Losing
code_verifierbetween authorize and callback (wrong storage domain, cleared session) - Using
plainchallenge method — OakID only supportsS256
state, code_verifier, and code_challenge per login. Store the verifier in sessionStorage on the same origin that receives the callback. See PKCE.invalid_grant — refresh token rejected
invalid_grant — refresh token rejected
Refresh tokens rotate on every use. The previous token is revoked immediately.Common causes:
- Reusing an old refresh token after a successful refresh
- Token expired or manually revoked in the Developer Portal
- Client secret was regenerated (invalidates all sessions for that client)
refresh_token from each token response. If refresh fails, redirect the user through the authorize flow again.invalid_client — wrong credentials
invalid_client — wrong credentials
Confidential clients must send
client_id and client_secret in the token request body or via HTTP Basic auth.Common causes:- Typo in
OAKID_PANEL_CLIENT_SECRET(Panel integration) - Secret was regenerated in Developer Portal but env var was not updated
- Using
client_idfrom one app with another app’s secret
.env.Invalid OAuth state on Panel callback
Invalid OAuth state on Panel callback
This appears in the browser when
state from the callback does not match what Panel stored in sessionStorage.Common causes:- Callback landed on a different host than where login began
- Third-party cookies or storage blocked between your app and
id.oakwall.mom
invalid_token on /oauth/userinfo
invalid_token on /oauth/userinfo
The access token is missing, expired, or revoked.Fix: Refresh the access token with
grant_type=refresh_token, or run the authorize flow again if refresh is unavailable.Revoke tokens
To invalidate a refresh or access token:200 even if the token is unknown (per RFC 7009).
Still stuck?
Check discovery
Confirm issuer and endpoint URLs match your environment.
API Reference
Full request/response schemas for every OAuth endpoint.