What does invalid_grant mean in OAuth?

invalid_grant is returned by the token endpoint when the authorization code or refresh token is expired, revoked, already used, or does not match the client or redirect URI. It usually means the client must restart the authorization flow.

How is invalid_client different from invalid_grant?

invalid_client means client authentication itself failed — unknown client, wrong secret, or unsupported auth method — and often returns HTTP 401. invalid_grant means the client authenticated fine but the grant it presented is no longer valid.

What are interaction_required and login_required?

These OpenID Connect errors occur when a client requests prompt=none for a silent flow but the user must actually interact — login_required means they are not authenticated, and interaction_required means some interaction such as consent is needed.

What do authorization_pending and slow_down mean?

These belong to the OAuth device flow. authorization_pending means the user has not finished approving yet, so keep polling. slow_down means you are polling too fast and should add 5 seconds to your interval.

What HTTP status accompanies insufficient_scope?

A resource server returns 403 Forbidden with insufficient_scope when a valid token lacks the scope required for the resource. The WWW-Authenticate header should name the missing scope so the client can request it.

OAuth 2.0 Error Codes

OAuth 2.0 and OpenID Connect error codes

OAuth and OpenID Connect define a compact set of machine-readable error codes returned across the authorization, token, resource-server, and device-flow endpoints. Each error value (often paired with error_description and error_uri) tells the client exactly what went wrong — a malformed request, a failed client authentication, an expired grant, or a need for user interaction. Knowing the difference between invalid_client and invalid_grant, or between login_required and consent_required, saves hours of integration debugging. Search the reference above by code or keyword.

How it works

Errors arrive in one of two shapes depending on the endpoint. The authorization endpoint redirects back to the client with error, error_description, and state in the query (or fragment), using codes like access_denied and unsupported_response_type. The token endpoint returns a JSON body with an error field and typically an HTTP 400 (or 401 for invalid_client), using codes like invalid_grant and unsupported_grant_type. Resource servers signal invalid_token (401) and insufficient_scope (403) via the WWW-Authenticate header per RFC 6750. OpenID Connect adds interaction errors (login_required, consent_required) for silent prompt=none requests, and the device flow (RFC 8628) adds polling errors (authorization_pending, slow_down).

Tips and examples

Treat invalid_grant as “start over”: clear the stored refresh token and send the user back through authorization rather than retrying the same grant.
Map invalid_client to a configuration problem — wrong client ID/secret or auth method — not a user problem.
In silent SSO, expect login_required/interaction_required and fall back to an interactive prompt=login instead of failing the user.
In the device flow, always honor slow_down by widening your poll interval, and stop polling on expired_token to begin a fresh request.

OAuth 2.0 Error Codes

Email me this result

OAuth 2.0 and OpenID Connect error codes

How it works

Tips and examples