voyageai-cli
Version:
CLI for Voyage AI embeddings, reranking, and MongoDB Atlas Vector Search
80 lines (47 loc) • 3.46 kB
Markdown
# Authentication Errors
Authentication errors indicate that a request lacks valid credentials or the provided credentials are invalid. Understanding error codes and recovery strategies is essential for building robust authentication flows.
## Common Error Codes
**401 Unauthorized**: The request lacks valid authentication credentials. Possible causes:
- Missing Authorization header
- Invalid or expired access token
- Malformed JWT (doesn't match signature)
**403 Forbidden**: The request is authenticated but not authorized for this resource. The user's scopes don't include the required permission.
**400 Bad Request**: Invalid authentication parameters (e.g., malformed login request, missing required fields).
**429 Too Many Requests**: Rate limiting on authentication endpoints. Too many failed login attempts from the same IP address triggers a temporary lockout.
## Password-Related Errors
**invalid_password**: Password is incorrect. The response includes `attempts_remaining` to warn before account lockout.
**password_expired**: User's password has expired and must be changed before authentication succeeds.
**password_too_weak**: New password doesn't meet complexity requirements. Respond with details about required rules (length, character types, etc.).
## MFA Errors
**mfa_required**: MFA is enabled but no MFA code provided. Return a challenge token for MFA verification.
**invalid_mfa_code**: The provided MFA code is incorrect or expired. Response includes `attempts_remaining`.
**backup_code_invalid**: Backup code provided doesn't match or has already been used.
## Token Errors
**token_expired**: Access token has exceeded its expiry time. Client should refresh or re-authenticate.
**token_invalid**: Token signature doesn't match or is malformed.
**refresh_token_expired**: Refresh token has expired; require full re-authentication.
**token_revoked**: Token was explicitly revoked and can no longer be used.
## Rate Limiting and Account Lockout
After 5 failed login attempts within 10 minutes, the account is temporarily locked for 15 minutes. This prevents brute-force attacks.
Lockout applies per email, not per IP. Users are notified via email that their account was locked. Admins can manually unlock accounts via `/admin/users/{user_id}/unlock`.
## CORS and Cross-Origin Errors
**invalid_origin**: The request's origin doesn't match allowed CORS origins. For OAuth flows, this typically means the redirect URI wasn't registered.
**cross_origin_request_blocked**: Requests from unauthorized origins are blocked even before reaching authentication handlers.
## Error Responses Format
Standard error response:
```json
{
"error": "invalid_password",
"error_description": "The password provided is incorrect.",
"error_code": 40001,
"timestamp": "2026-02-18T12:34:56Z",
"request_id": "req_abc123"
}
```
The `request_id` is useful for support tickets and debugging. Include it in error reports.
## Handling Errors Gracefully
Always implement exponential backoff when handling 401/403 errors. Don't hammer the API with invalid tokens; this triggers rate limiting. Cache token validation errors for 5 seconds before retrying.
For user-facing applications, provide clear error messages:
- "Incorrect password. Try again." (not "Invalid password")
- "Your account is locked for 15 minutes due to failed login attempts."
- "This feature requires additional permissions. Contact your administrator."