Common Errors
| CODE | Information | Additional Context |
|---|---|---|
| E011001 | Request is malformed: Received tenant from query param, but it does not match any pattern | A tenant with the received name was not found. Check whether the tenant exists and whether the name was not misspelled. |
| E061102 | One time code is invalid | The provided one-time code is invalid. Note that you can change the number of attempts in the authentication method settings. |
| E102116 | Invalid task ID: Execute next direct workflow failed. Failed to get execution info | During flow execution, the next flow step was not found. Ensure that the steps are connected throughout the flow and all the way to the end step. |
| E103205 | Did not find execution context: Flow timed out, please try to refresh | The Descope flow component has been idling for too long. Refreshing the component will create a new flow execution. |
| E062504 | Token expired: Failed to load magic link token | The magic link has expired. The user will need to restart the authentication process to receive a fresh magic link token. |
| E063010 | Failed loading magic/enchanted link from cache, was not found, might be expired | The magic link has expired. The user will need to restart the authentication process to receive a fresh magic link token. |
| E011003 | Request is invalid: The [NAME] field is required | This field cannot remain empty, please make sure you provide it. |
| E061104 | One time code expired | The one-time code has expired. The user needs to restart the authentication or resend the OTP code to receive a valid new code. |
| E062503 | Token not verified: Unauthorized enchanted link status - token was not verified yet | The enchanted link has expired. The user needs to restart the authentication process to receive a fresh enchanted link token. |
| E062115 | Attempt to login with unverified email or phone: Unverified email / phone | The user tried to log in with an unverified e-mail or phone number. When used here, the number or email must be verified first. |
| E062108 | User not found: Cannot find user | User was not found. Descope uses LoginId to identify the user, make sure that the right loginId is used for the specific step or SDK. |
| E062904 | Password does not satisfy policy: Password must contain at least one non-alphanumeric character | User did not comply with the password policy when setting his password. It is recommended to use the policy previewer component so that the user will be able to see why the password was rejected. |
| E062904 | Password does not satisfy policy: Password must contain at least one uppercase character | User did not comply with the password policy when setting his password. It is recommended to use the policy previewer component so that the user will be able to see why the password was rejected. |
| E064002 | Empty or Non Existent Refresh Token JWT was provided | Token is missing. When using a custom domain check whether the DS or DSR are absent from the localStorage or the cookie. |
| E062904 | Password does not satisfy policy: Password must contain at least X characters | User did not comply with the password policy when setting his password. It is recommended to use the policy previewer component so that the user will be able to see why the password was rejected |
| E062904 | Password does not satisfy policy: Password must contain at least one lowercase character | User did not comply with the password policy when setting his password. It is recommended to use the policy previewer component so that the user will be able to see why the password was rejected |
| E062901 | Invalid signin credentials: attempt #X | User did not comply with the password policy when setting his password. It is recommended to use the policy previewer component so that the user will be able to see why the password was rejected |
| E062904 | Password does not satisfy policy: Password must contain at least one number | User did not comply with the password policy when setting his password. It is recommended to use the policy previewer component so that the user will be able to see why the password was rejected |
| E069000 | PKCE Validation Failed: Failed to verify link - PKCE Validation Failed: PKCE challenge and verifier do not match | PKCE already used, or the challenge and the verifier do not match. Validate that the PKCE is being used for the first time, or that it is being created and passed properly. |
| E061301 | Failed to exchange token: Failed to exchange sso code | Wrong or missing SSO code for exchange. |
| E062209 | Token exchange with OAuth provider failed, please validate your OAuth setup: [E062108] User not found: User does not exists [error: [E013009]] | For signing in with OAuth, the user must exist first in the Descope user table.Check that the user exists or have the user sign up. |
| E062901 | Invalid signin credentials | One of the provided credentials is wrong, used for password authentication. |
| E061103 | Max attempts exceeded for one time code | User has reached the maximum attempts verifying the log in with the OTP. This may be an attempt to break into the account. |
| E102111 | Flow reached limit of allowed tasks | The amount of tasks executed exceeded 1000. Check your flow for infinite loops. |
| E102103 | Did not find next task: Could not get next task for [NAME] | During flow execution, the next flow step was not found. Ensure that the steps are connected throughout the flow and all the way to the end step.. |
| E061002 | Sign up is not allowed: Self provisioning signUp is not allowed | Sign ups are not allowed. This may be a result of checking the “Block self-registration sign up” in the project settings page. |
| E033005 | Rate limit exceeded: Exceeded the allowed number of emails in a the defined time frame. Please wait a while and try again | User actions triggered several email messages which exceeded the limit. It is recommended to check the flow and the user actions to find a way to prevent this from happening again. |
| E125004 | Connector execution runtime error: getaddrinfo ENOTFOUND URL | The connector’s URL is not reachable. This may be a network issue. Check the URL and the network and if everything seems to be in order, contact Descope. |
| E064003 | Invalid Refresh Token JWT was provided: Failed to load user | User’s JWT provided did not find any existing users in the project. Please make sure you are using the right project. |
| E013009 | Connector not found | Flow is using a connector that does not exist. Check whether the connector exists. |
| E062903 | Password signin failed | Wrong password provided. |
| E023001 | User is disabled: User disabled | User is disabled. Enable the user through the UI or API. You can also alert your users when they are disabled and provide them an option to contact support. |
| E067010 | User doesn't have any WebAuthn credentials | The user tried to sign-in with passkeys, and does not have a passkey set on the device. See the ‘promote-biometrics’ flow as an example of how to set up a passkey. |
| E062910 | Password cannot be reused [error: rpc error: code = Unknown desc = [E062910] Password cannot be reused] | User tried to set a password that has been used before. You can control the number of passwords that Descope checks against, by going into the password authentication method settings. |
| E106003 | Could not find tenant: Cannot determine tenant from JWT | Happens when performing an authorized action and the tenant is required for performing the action. |
| E031002 | Missing providers Settings | The provider specified in the flow is missing (probably deleted). |
| E011001 | Request is malformed: SSO not supported for domain | The user tried to log in with SSO, but there is not a single tenant with the email domain associated with the user. |
| E067015 | Login transaction not found | The passkey operation timed out |
| E073307 | Failed to save tenant, tenant ID or Name already exist: Failed creating tenant because provisioning domains are duplicate | The tenant already exists. Happens when self-provisioning is used inside a flow or the requested tenant has the same email domain. |
| E106004 | Could not find tenant: Illegal tenant requested | The name of the tenant does not exist in Descope. |
| E032101 | Failed to send sms: Status: 429 - Max send attempts reached | The maximum number of attempts to send an SMS to a specific number has been reached. |
| E062605 | Token exchange with SSO provider failed: Cannot generate redirect URI | According to the IDP, the redirect URI is not configured or is missing from metadata. Please make sure all of the URLs are set correctly on the IDP. |
| E062907 | Password reset send failed | This can be a result of wrong email provider settings. Check the relevant connector. |
| E102112 | Invalid execution id | Flow execution ID not found. Restart the flow to create a new ID. |
| E023009 | Cannot merge with test user: Cannot merge with test user | Test users are not permitted. |
| E062906 | Password update failed | Updating the password failed. |
| E062111 | JWT invalid for update user flow - JWT does not match user | The JWT provided does not match the user. |
| E102004 | Flow requested is in old version, need to reload page: Got wrong version after reload | Flow has changed, refresh the page to get a newer flow version. |
| E011002 | Request is missing required arguments | The request has a missing or invalid argument that does not comply with the field’s format. Make sure to provide that field or check the validity of the field. |
| E103003 | Failed getting flow: Failed loading flow by ID | Flow ID was not found on the project. Make sure you have the right flow ID or that you are using the right project ID. |
| E011003 | Request is invalid: The pkceVerifier field must be exactly 32 bytes | When initiating the log in with PKCE - the verifier should be exactly 32 bytes long. |
| E011003 | Request is invalid: The redirectUrl field must be at most 2048 characters | The redirect URL provided exceeds 2048 characters. A longer URL is not supported. |
| E032001 | Failed to send email: Failed to send email through SES (MessageRejected): Email address is not verified | SES requires the sender email to be verified on AWS. Make sure you follow the steps to verify it. |
| E032106 | Invalid Phone number provided to phone SMS: Failed to send SMS - Invalid Phone To +xx-xxxxxx | The phone number provided does not comply with the phone number format. |
| E062108 | User not found: User not found during NOTP sign-in verification | User was not found in Descope when trying to sign-in with NOTP. Verify that the user exists or switch to signing the user up if applicable. |
| E062605 | Token exchange with SSO provider failed: User is disabled | User Is disabled in Descope. The user table allows you to enable the user. |
| E064011 | JWT inactive for too long: Failed getting tenants from JWT. | The operation requires a specific tenant to work. The JWT contains either no tenant or multiple tenants. |
| E011003 | The code field must be exactly 6 characters | When using OTP, the code should be exactly 6 characters long. |
| E011003 | The loginOptions.pkceChallenge field must be exactly 32 bytes | When initiating the log in with PKCE - challenge should be exactly 32 bytes long. |
| E061003 | Redirect URL does not match the approved domain list | When using a custom redirect URL with an IDP, make sure to add the domain to the approved domain list in the project settings page. |
| E062208 | Failed to create user from mapping, external ID does not exist | When trying to merge identities from SSO / OAuth in a sign in process, there is no existing user with the associated ID (e-mail or phone number). |
| E125004 | Connector execution runtime error: Task timed out after x seconds | Response to the connector request took too long. Either increase the timeout in the connector step or check the destination machine for any issues. |
| E062107 | User already exists in SignUp. | User with the provider login ID already exists, use sign in or sign up / in instead. |
OAuth OIDC Related Errors
Token exchange with OAuth provider failed, please validate your OAuth setup.
These errors might indicate a misconfiguration on both sides, the SP and the IDP. Here is a list of all of the errors that might occur when Descope is the SP. To further debug IDP related issues, read the documentation that is associated with the error message and the specific IDP used.
| Information | Additional Context | |
|---|---|---|
| Failed to connect to user info endpoint | Either the user endpoint cannot be reached or does not return a valid JSON. | |
| his OAuth Provider is not enabled, need to allow in project settings first | The provider that was used in the flow is not enabled. | |
| The user has denied access to the scope requested by the client application | The user has declined the access request of the app. | |
| Disabled user in oauth exchange | The user is disabled in Descope. | |
| User already exists: User already exists | The user already exists and sign up is rejected. Use sign in instead. | |
| User not found: User does not exists | the user must exist first in the Descope user table.Check that the user exists or have the user sign up. | |
| Request is missing required arguments | The provided e-mail address does not comply with the e-mail format. |
Note
Are you facing an error that is not listed here? Please contact us, and we will make sure to list it.
Was this helpful?