Error messages

This page collates the error messages from GOV.UK One Login.

Error messages from the `/authorize` endpoint

Error	More information about your error
`unauthorized_client`	In rare circumstances, such as a security incident, One Login may prevent users from logging in to your service. If this happens, the error code `unauthorized_client` will be returned with the error description `client deactivated`. When your service receives this error, you must show the user a custom error page to explain that they cannot use your service at the moment and should try again later.
`request_is_missing_parameters`	The request has one or more of the following issues: missing a required parameter includes an invalid parameter value includes a parameter more than once not in the correct format . You should check you have included the correct parameters, especially the `client_id`, `redirect_uri`, `response_type` and `scope` parameters.
`invalid_request`	The request has one or more of the following issues: missing a required parameter includes an invalid parameter value includes a parameter more than once not in the correct format . You should check you have included the correct parameters, especially the `client_id`, `redirect_uri`, `response_type` and `scope` parameters.
`invalid_request - Request vtr not valid`	You’ve requested single factor authentication and identity information. To make a successful identity request, you must request two-factor authentication and the identity level of confidence, for example `Cl.Cm.P2`.
`invalid_scope`	The scope or scopes you have requested are invalid, unknown, or are not in the correct format. You can read more about scopes in choosing which user attributes your service can request.
`unsupported_response_type`	Your service is not registered for the requested `response_type`. You must set the `response_type` to be code: `response_type=code`.
`server_error`	The GOV.UK One Login authentication server has experienced an internal server error.
`temporarily_unavailable`	If you’re only making an authentication request (as opposed to requesting both authentication and identity), this error code means the GOV.UK One Login authentication server is temporarily unavailable, which might be caused by temporary overloading or planned maintenance. Make your request again in a few minutes. If you’re making an identity request and you get this error, it means the identity proving and verification does not currently have capacity for this request.
`access_denied`	GOV.UK One Login returns this error in 2 scenarios. The first scenario is that the session in the user’s browser is unavailable. This can happen when your user’s cookies have been lost or your user changed browsers during the identity verification process. You should then make another authentication and identity request. You must help your user try again, for example by going back to the start of your authentication and identity verification process. The second scenario is that the identity evidence your user provided has a lower score than the identity confidence specified in your request. As a result, GOV.UK One Login could not return the medium level of identity confidence (`P2`) and instead returned a lower level of identity confidence. If you’re using return codes, you will not receive an error for this scenario. Find more information on understanding the return codes claim.

Error messages from the `/userinfo` endpoint

Error	More information about your error
`invalid_token`	GOV.UK One Login denied your request as you have an invalid or missing bearer access token. To proceed, you must use the authorisation header field to send the token as a bearer token.

Error messages from the `/token` endpoint

Error	More information about your error
`invalid_request`	The request is missing a parameter so the server cannot proceed with the request. This error may also be returned if the request includes an unsupported parameter or repeats a parameter. Review your parameters and check they are supported and not repeated.
`invalid_client`	Client authentication failed, which could be caused by the request containing an invalid `client_id` or an issue in validating the signature of the `client_assertion`. To resolve, check: your `client_id` matches the `client_id` you received when you registered your service to use GOV.UK One Login you have signed your `client_assertion` JWT with the private key generated when you registered your service to use GOV.UK One Login your service uses a key signing algorithm which GOV.UK One Login supports
`invalid_grant`	The authorisation code is invalid or expired. This is also the error which would return if the redirect URL given in the authorisation request does not match the URL provided in this access token request.
`unauthorized_client`	The application is successfully authenticated, but it’s not registered to use the requested grant type.
`unsupported_grant_type`	The grant type is not supported by the server.

This page was last reviewed on 21 January 2025.