RESTlets and REST Web Services Error Messages in the Login Audit Trail

The following table lists errors that are visible in the Detail column of the Login Audit Trail Results.

Problem	RESTlets/REST Web Services	Resolution
The access token is expired.	AccessTokenExpired	Use the refresh token to get a new access token. If the refresh token is expired, initiate the authorization code grant flow to get a new pair of tokens. For more information, see OAuth 2.0 Authorization Code Grant Flow.
At least one of the following is invalid: Entity Contact Role	EntityOrRoleDisabled	Verify that the entity, contact, or role exists in the account.
The signature is invalid.	InvalidSignature	Ensure that you use the correct public key for token validation. For more information, see OAuth 2.0 Access and Refresh Token Structure. Warning: Invalidity of issuer or signature may be caused by cross-site request forgery (CSFR) attacks. To ensure that your application is safe, follow the OAuth 2.0 specification. For more information, see RFC6749 Section 10.12.
Login attempted with a refresh token.	TokenRejected	Ensure that the application uses the access token for access and the refresh token for the refresh token POST request. For more information, see Refresh Token POST Request to the Token Endpoint.
The integration application ID is invalid.	InvalidIntegration	Verify that the corresponding integration record exists in the account.
The integration application has empty scope or the scope in the token does not match the scope in the integration record.	ScopeMismatched	Ensure that the RESTlets or REST Web Services box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.
The integration application does not use OAuth 2.0.	AuthorizationCodeGrantRequired	Ensure that the Authorization Code Grant box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.
The scope value is empty in the token.	InvalidScope	Ensure that the structure of the access token is correct. For more information, see OAuth 2.0 Access and Refresh Token Structure.
Role or entity is inactive.	EntityOrRoleDisabled	Verify that the entity or role is active in the account.
The OAuth 2.0 feature is not enabled in the account.	FeatureDisabled	See Enable the OAuth 2.0 Feature.
The integration record is blocked.	IntegrationBlocked	Ensure that the value of the State field is set to Enabled on the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.
The token is signed with an algorithm that is not supported.	UnsupportedAlgo	Ensure that you use a supported algorithm for signing tokens. For more information, see The Request Token Structure.
The token validity is too far in the future.	TokenValidityTooBroad	Ensure that the validity of the access token in the client credentials flow does not exceed two hours.
Either access or refresh token is blocked, causing the access to be denied.	TokenBlocked	Start the flow again, using a fresh pair of access and refresh tokens.
Either access token was used as a refresh token, or refresh token was used for access.	InvalidTokenType	Ensure you are setting up the authorization code grant flow according to the documentation.
The token signature is incorrect.	SignatureValidation	Ensure you are using the correct signature for tokens during the client credentials flow. For more information, see OAuth 2.0 Client Credentials Setup.
The client ID in first and second step of the authorization code grant flow do not match.	ClientIdMismatch	Ensure you have the authorization code grant flow set up correctly. For more information, see OAuth 2.0 Authorization Code Grant Flow.
The value of the nonce parameter is set up incorrectly, or the token is issued in the future.	TokenNotAcceptable	Ensure that the token time validity is set up correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.
Any one of the tokens used during an OAuth 2.0 flow is expired.	TokenExpired	Start the flow again, using a fresh pair of access and refresh tokens.
The token issuer is incorrect.	InvalidIssuer	Ensure that you use a valid token issuer. For more information, see OAuth 2.0 Access and Refresh Token Structure.
The header of a token is missing a value for the kid parameter.	MissingKeyId	Ensure that you set up your token correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.
The value of the kid parameter in a token header does not match any valid certificate.	MissingKey	Ensure that you set up your token correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.

Problem

RESTlets/REST Web Services

Resolution

The access token is expired.

AccessTokenExpired

Use the refresh token to get a new access token. If the refresh token is expired, initiate the authorization code grant flow to get a new pair of tokens. For more information, see OAuth 2.0 Authorization Code Grant Flow.

At least one of the following is invalid:

Entity
Contact
Role

EntityOrRoleDisabled

Verify that the entity, contact, or role exists in the account.

The signature is invalid.

InvalidSignature

Ensure that you use the correct public key for token validation. For more information, see OAuth 2.0 Access and Refresh Token Structure.

Warning:

Invalidity of issuer or signature may be caused by cross-site request forgery (CSFR) attacks. To ensure that your application is safe, follow the OAuth 2.0 specification. For more information, see RFC6749 Section 10.12.

TokenRejected

Ensure that the application uses the access token for access and the refresh token for the refresh token POST request. For more information, see Refresh Token POST Request to the Token Endpoint.

The integration application ID is invalid.

InvalidIntegration

Verify that the corresponding integration record exists in the account.

The integration application has empty scope or the scope in the token does not match the scope in the integration record.

ScopeMismatched

Ensure that the RESTlets or REST Web Services box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.

The integration application does not use OAuth 2.0.

AuthorizationCodeGrantRequired

Ensure that the Authorization Code Grant box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.

The scope value is empty in the token.

InvalidScope

Ensure that the structure of the access token is correct. For more information, see OAuth 2.0 Access and Refresh Token Structure.

Role or entity is inactive.

EntityOrRoleDisabled

Verify that the entity or role is active in the account.

The OAuth 2.0 feature is not enabled in the account.

FeatureDisabled

See Enable the OAuth 2.0 Feature.

The integration record is blocked.

IntegrationBlocked

Ensure that the value of the State field is set to Enabled on the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.

The token is signed with an algorithm that is not supported.

UnsupportedAlgo

Ensure that you use a supported algorithm for signing tokens. For more information, see The Request Token Structure.

The token validity is too far in the future.

TokenValidityTooBroad

Ensure that the validity of the access token in the client credentials flow does not exceed two hours.

Either access or refresh token is blocked, causing the access to be denied.

TokenBlocked

Start the flow again, using a fresh pair of access and refresh tokens.

Either access token was used as a refresh token, or refresh token was used for access.

InvalidTokenType

Ensure you are setting up the authorization code grant flow according to the documentation.

The token signature is incorrect.

SignatureValidation

Ensure you are using the correct signature for tokens during the client credentials flow. For more information, see OAuth 2.0 Client Credentials Setup.

The client ID in first and second step of the authorization code grant flow do not match.

ClientIdMismatch

Ensure you have the authorization code grant flow set up correctly. For more information, see OAuth 2.0 Authorization Code Grant Flow.

The value of the nonce parameter is set up incorrectly, or the token is issued in the future.

TokenNotAcceptable

Ensure that the token time validity is set up correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.

Any one of the tokens used during an OAuth 2.0 flow is expired.

TokenExpired

Start the flow again, using a fresh pair of access and refresh tokens.

The token issuer is incorrect.

InvalidIssuer

Ensure that you use a valid token issuer. For more information, see OAuth 2.0 Access and Refresh Token Structure.

The header of a token is missing a value for the kid parameter.

MissingKeyId

Ensure that you set up your token correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.

The value of the kid parameter in a token header does not match any valid certificate.

MissingKey

Ensure that you set up your token correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.

Related Topics