Errors and Troubleshooting
Common Errors
| CODE | Information | Additional Context |
|---|---|---|
| E011001 | Request is malformed | The request contains invalid or malformed data. Common causes include: received tenant from query param that does not match any pattern (tenant not found, check if tenant exists and name is spelled correctly), or SSO not supported for domain (user tried to log in with SSO, but there is no tenant with the email domain associated with the user). |
| E061102 | One time code is invalid | The provided one-time code is invalid. Note that you can change the number of attempts in the authentication method settings. |
| E102116 | Invalid task ID: Execute next direct workflow failed. Failed to get execution info | During flow execution, the next flow step was not found. Ensure that the steps are connected throughout the flow and all the way to the end step. |
| E103205 | Did not find execution context: Flow timed out, please try to refresh | The Descope flow component has been idling for too long. Refreshing the component will create a new flow execution. |
| E062504 | Token expired: Failed to load magic link token | The magic link has expired. The user will need to restart the authentication process to receive a fresh magic link token. |
| E063010 | Failed loading magic/enchanted link from cache, was not found, might be expired | The magic link has expired. The user will need to restart the authentication process to receive a fresh magic link token. |
| E011003 | Request is invalid | The request contains invalid arguments or field values. Common causes include: required fields are missing (e.g., The [NAME] field is required), PKCE verifier must be exactly 32 bytes, PKCE challenge must be exactly 32 bytes, redirect URL must be at most 2048 characters, or OTP code must be exactly 6 characters. Make sure all required fields are provided and comply with format requirements. |
| E061104 | One time code expired | The one-time code has expired. The user needs to restart the authentication or resend the OTP code to receive a valid new code. |
| E062503 | Token not verified: Unauthorized enchanted link status - token was not verified yet | The enchanted link has expired. The user needs to restart the authentication process to receive a fresh enchanted link token. |
| E062115 | Attempt to login with unverified email or phone: Unverified email / phone | The user tried to log in with an unverified e-mail or phone number. When used here, the number or email must be verified first. |
| E062108 | User not found | User was not found in Descope. Descope uses LoginId to identify the user, make sure that the right loginId is used for the specific step or SDK. This error can occur during general user lookup, OAuth token exchange, or NOTP sign-in verification. Verify that the user exists or switch to signing the user up if applicable. |
| E062904 | Password does not satisfy policy | User did not comply with the password policy when setting their password. Common violations include: missing non-alphanumeric characters, uppercase characters, lowercase characters, numbers, or minimum length requirements. It is recommended to use the policy previewer component so that the user will be able to see why the password was rejected. |
| E064002 | Empty or Non Existent Refresh Token JWT was provided | Token is missing. When using a custom domain check whether the DS or DSR are absent from the localStorage or the cookie. |
| E062901 | Invalid signin credentials | One of the provided credentials is wrong, used for password authentication. May include attempt count in the error message. |
| E069000 | PKCE Validation Failed: Failed to verify link - PKCE Validation Failed: PKCE challenge and verifier do not match | PKCE already used, or the challenge and the verifier do not match. Validate that the PKCE is being used for the first time, or that it is being created and passed properly. |
| E061301 | Failed to exchange token: Failed to exchange sso code | Wrong or missing SSO code for exchange. |
| E062209 | Token exchange with OAuth provider failed, please validate your OAuth setup: [E062108] User not found: User does not exists [error: [E013009]] | For signing in with OAuth, the user must exist first in the Descope user table.Check that the user exists or have the user sign up. |
| E061103 | Max attempts exceeded for one time code | User has reached the maximum attempts verifying the log in with the OTP. This may be an attempt to break into the account. |
| E071001 | Project does not exist | The Descope Project ID is invalid/does not exist. Verify that it has been entered correctly. |
| E102111 | Flow reached limit of allowed tasks | The amount of tasks executed exceeded 1000. Check your flow for infinite loops. |
| E102103 | Did not find next task: Could not get next task for [NAME] | During flow execution, the next flow step was not found. Ensure that the steps are connected throughout the flow and all the way to the end step.. |
| E061002 | Sign up is not allowed: Self provisioning signUp is not allowed | Sign ups are not allowed. This may be a result of checking the “Block self-registration sign up” in the project settings page. |
| E033005 | Rate limit exceeded: Exceeded the allowed number of emails in a the defined time frame. Please wait a while and try again | User actions triggered several email messages which exceeded the limit. It is recommended to check the flow and the user actions to find a way to prevent this from happening again. |
| E125004 | Connector execution runtime error | The connector encountered an error during execution. Common causes include: URL not reachable (getaddrinfo ENOTFOUND - check the URL and network, contact Descope if everything seems correct), or task timed out after x seconds (response took too long - either increase the timeout in the connector step or check the destination machine for issues). |
| E064003 | Invalid Refresh Token JWT was provided: Failed to load user | User’s JWT provided did not find any existing users in the project. Please make sure you are using the right project. |
| E013009 | Connector not found | Flow is using a connector that does not exist. Check whether the connector exists. |
| E062903 | Password signin failed | Wrong password provided. |
| E023001 | User is disabled | User is disabled. Enable the user through the UI or API. You can also alert your users when they are disabled and provide them an option to contact support. |
| E067010 | User doesn't have any WebAuthn credentials | The user tried to sign-in with passkeys, and does not have a passkey set on the device. See the ‘promote-biometrics’ flow as an example of how to set up a passkey. |
| E062910 | Password cannot be reused [error: rpc error: code = Unknown desc = [E062910] Password cannot be reused] | User tried to set a password that has been used before. You can control the number of passwords that Descope checks against, by going into the password authentication method settings. |
| E106003 | Could not find tenant: Cannot determine tenant from JWT | Happens when performing an authorized action and the tenant is required for performing the action. |
| E031002 | Missing providers Settings | The provider specified in the flow is missing (probably deleted). |
| E011004 | Invalid Arguments | The arguments passed to the API/SDK call are invalid. |
| E067015 | Login transaction not found | The passkey operation timed out |
| E073307 | Failed to save tenant, tenant ID or Name already exist: Failed creating tenant because provisioning domains are duplicate | The tenant already exists. Happens when self-provisioning is used inside a flow or the requested tenant has the same email domain. |
| E106004 | Could not find tenant: Illegal tenant requested | The name of the tenant does not exist in Descope. |
| E032101 | Failed to send sms: Status: 429 - Max send attempts reached | The maximum number of attempts to send an SMS to a specific number has been reached. |
| E062605 | Token exchange with SSO provider failed | SSO token exchange failed. Common causes include: cannot generate redirect URI (redirect URI is not configured or is missing from metadata on the IDP, make sure all URLs are set correctly on the IDP), or user is disabled in Descope (enable the user through the user table). |
| E062907 | Password reset send failed | This can be a result of wrong email provider settings. Check the relevant connector. |
| E102112 | Invalid execution id | Flow execution ID not found. Restart the flow to create a new ID. |
| E112201 | Tenant does not belong to the specified project | The tenant does not belong to the specified project. The tenant ID is case sensitive, so ensure that the tenant ID is cased correctly. |
| E023009 | Cannot merge with test user: Cannot merge with test user | Test users are not permitted. |
| E062906 | Password update failed | Updating the password failed. |
| E062111 | JWT invalid for update user flow - JWT does not match user | The JWT provided does not match the user. |
| E102004 | Flow requested is in old version, need to reload page: Got wrong version after reload | Flow has changed, refresh the page to get a newer flow version. |
| E011002 | Request is missing required arguments | The request has a missing or invalid argument that does not comply with the field’s format. Make sure to provide that field or check the validity of the field. |
| E103003 | Failed getting flow: Failed loading flow by ID | Flow ID was not found on the project. Make sure you have the right flow ID or that you are using the right project ID. |
| E032001 | Failed to send email: Failed to send email through SES (MessageRejected): Email address is not verified | SES requires the sender email to be verified on AWS. Make sure you follow the steps to verify it. |
| E032106 | Invalid Phone number provided to phone SMS: Failed to send SMS - Invalid Phone To +xx-xxxxxx | The phone number provided does not comply with the phone number format. |
| E064011 | JWT inactive for too long: Failed getting tenants from JWT. | The operation requires a specific tenant to work. The JWT contains either no tenant or multiple tenants. |
| E061003 | Redirect URL does not match the approved domain list | When using a custom redirect URL with an IDP, make sure to add the domain to the approved domain list in the project settings page. |
| E061010 | Your company account is no longer active. Please contact support for assistance | This error occurs when attempting to access a company that has been deleted or disabled. The account is no longer accessible. Contact Descope support if you believe this is an error. |
| E062208 | Failed to create user from mapping, external ID does not exist | When trying to merge identities from SSO / OAuth in a sign in process, there is no existing user with the associated ID (e-mail or phone number). |
| E062107 | User already exists in SignUp. | User with the provider login ID already exists, use sign in or sign up / in instead. |
| E103202 | Polling status not found. | Magic Link / Enchanted Link reference not found, it is probably expired by time or already clicked on. Try sending it again. |
| E061206 | Missing redirect URL for IdP initiated login. | SSO IdP Initiated request while post authentication URL is not configured, to make it work please follow this guide. |
OAuth OIDC Related Errors
Token exchange with OAuth provider failed, please validate your OAuth setup.
These errors might indicate a misconfiguration on both sides, the SP and the IDP. Here is a list of all of the errors that might occur when Descope is the SP. To further debug IDP related issues, read the documentation that is associated with the error message and the specific IDP used.
| Information | Additional Context |
|---|---|
| Failed to connect to user info endpoint | Either the user endpoint cannot be reached or does not return a valid JSON. |
| This OAuth Provider is not enabled, need to allow in project settings first | The provider that was used in the flow is not enabled. |
| The user has denied access to the scope requested by the client application | The user has declined the access request of the app. |
| Disabled user in oauth exchange | The user is disabled in Descope. |
| User already exists: User already exists | The user already exists and sign up is rejected. Use sign in instead. |
| User not found: User does not exist | The user must exist first in the Descope user table. Check that the user exists or have the user sign up. |
| Request is missing required arguments | The provided e-mail address does not comply with the e-mail format. |
Note
Are you facing an error that is not listed here? Please contact us, and we will make sure to list it.
Was this helpful?