Error Handling
When making requests to the Stitch Token API endpoints, you'll interact with a REST-style API for authentication.
As such, you can expect conventional HTTP response codes to indicate failures, with a 400
Bad Request
HTTP status code and a JSON body containing the specific error message.
All token API errors detailed in this section are synchronous.
Invalid Redirect URL
{
"redirect_uri": [
"Invalid redirect_uri. Please ensure the URI has been whitelisted."
]
}
This error may be encountered when using a URL that has not been whitelisted for your client. To fix this, please use a valid whitelisted URL. Refer to your client credential JSON file for the list of valid, whitelisted URLs.
Please note that we do not allow wildcard URLs or URL with dynamic parameters - URLs need to be specific. We do, however, allow deep-linking for mobile applications.
To whitelist new URLs, please reach out to our support engineers with the URLs you wish to be added to your client.
Invalid Scope
{
"error": "invalid_scope"
}
This error may be encountered when trying to retrieve a client or user token, for one of the following reasons:
- The
scope
parameter includes scopes not authorised for your client. You can verify the list of authorised scopes in your credential JSON file under the keyallowedScopes
. Should you require any additional scopes to be enabled, please reach out to our support engineers. - The
scope
parameter includes misspelled scopes. - The
scope
parameter is not included in the request. - If requesting for multiple scopes, the
scope
parameter has values not separated by a single whitespace, e.g. a valid value isclient_paymentrequest client_refund
.
Invalid Grant
{
"error": "invalid_grant"
}
This error may be encountered when trying to retrieve a client or user token, for one of the following reasons:
- Retrieving a client token without specifying the
scope
parameter in the request parameters. - Retrieving a client token without specifying the
invalid_grant
parameter in the request parameters. - Retrieving a user token with a
code_verifier
value that's too short or too long. The value of both thecode_verifier
andcode_challenge
must be between 43 and 128 characters. - Retrieving a user token with a
code_verifier
andcode_challenge
pair that do not match. You can use the widget here to validate if the pairs match. - Using an expired
authorization_code
to fetch a user token. Authorization codes are single-use and have a lifetime of 5 minutes. Should the code expire before you can use it, you will need to re-initiate the linking process.
Invalid Code Challenge
{
"invalid_request": ["Invalid code_challenge"]
}
This error may occur when trying to generate an account authorization URL with an incorrectly-encoded value for the
code_challenge
parameter. To resolve this, ensure the code challenge is being encoded in base64URL encoding (not base64).