Documentation

Error Handling

Anticipate failure modes across authorize, callback, and token exchange.

Authorize / callback errors

When authorization fails, Radiant Auth may redirect to your redirect_uri with:

  • error — machine-readable code (for example access_denied)
  • error_description — human-readable detail
  • state — echo of your state parameter when present
Warning
Never proceed with token exchange if error is present or if state does not match.

Token endpoint errors

Failed token requests return a non-2xx status with a JSON body that typically includes error and optionally error_description. Common causes:

  • Invalid or expired authorization code
  • PKCE verifier mismatch
  • Redirect URI mismatch
  • Wrong client credentials
  • Invalid or rotated refresh token

Recommended UX

  • Log the error code server-side with a request id.
  • Show a generic message to users (“Sign-in failed — try again”).
  • Offer a button that restarts the login flow with fresh PKCE/state.
  • On refresh failure, clear the session and force re-authentication.
Note
Do not leak YOUR_CLIENT_SECRET, tokens, or raw IdP error payloads to the browser in production logs exposed to clients.