Documentation
Error Handling
Anticipate failure modes across authorize, callback, and token exchange.
Authorize / callback errors
When authorization fails, Radiant Auth may redirect to your redirect_uri with:
error— machine-readable code (for exampleaccess_denied)error_description— human-readable detailstate— echo of your state parameter when present
Warning
Never proceed with token exchange if
error is present or if state does not match.Token endpoint errors
Failed token requests return a non-2xx status with a JSON body that typically includes error and optionally error_description. Common causes:
- Invalid or expired authorization code
- PKCE verifier mismatch
- Redirect URI mismatch
- Wrong client credentials
- Invalid or rotated refresh token
Recommended UX
- Log the error code server-side with a request id.
- Show a generic message to users (“Sign-in failed — try again”).
- Offer a button that restarts the login flow with fresh PKCE/state.
- On refresh failure, clear the session and force re-authentication.
Note
Do not leak
YOUR_CLIENT_SECRET, tokens, or raw IdP error payloads to the browser in production logs exposed to clients.