This section describes the errors returned by the Oura API.
The Oura API responds to requests with the appropriate HTTP status code. The response format is based on
RFC7807 for all requests.
Additionally, requests related to OAuth2 also include the error response fields as defined in
In case of an error, all Oura API endpoints respond with a JSON object that contains at least the following fields.
The HTTP status code generated by the origin server. Typically
A short, human-readable summary of the problem type.
A human-readable explanation specific to this occurrence of
Fig.1 - Error response fields.
Common HTTP Errors
Invalid Access token
Access token not provided or is invalid. Check that you are including a token and it is complete.
Token Already Used Or Revoked
Token already used or revoked. If you are trying to use a refresh token, note that it can only be used once.
Token has expired.
Missing required scopes. Your token must have the scopes listed as part of the detail of the error. You may need to have
the user re-authenticate your app with the required scopes.
Token not provided. Either token is not provided at all or is invalid.
No Valid Redirect URIs In Application
No redirect URIs set in the application. Check that your application has at least one valid redirect_uri.
Missing Redirect URI Parameter
Missing redirect_uri parameter. Provide a redirect_uri as a query parameter.
Redirect URI Not Found
redirect uri not found in application redirect URIs. Provide a redirect_uri that exists in your
Invalid Client ID
Invalid client_id. Check that your client_id is correct and valid.
Invalid Grant Type
Invalid grant_type. grant_type must be either authorization_code or
Missing Redirect URI Payload
redirect_uri missing. Check that redirect_uri payload is provided.
Redirect URI Does Not Match
redirect_uri does not match. The redirect_uri payload must match that of the
OAuth2 Error Response Fields
When returning an error from an OAuth2 endpoint, the Oura API responds with a JSON object that contains the following
fields in line with RFC6749 in addition to the
RFC7807-inspired fields mentioned above.
standard OAuth2 error code which can be one of the following:
invalid_request, unauthorized_client, access_denied,
server_error or temporarily_unavailable
Human-readable description that provides additional information.
A URI identifying a human-readable web page with
information about the error.
The request is missing a required parameter, includes an
unsupported parameter value (other than grant type),
repeats a parameter, includes multiple credentials,
utilizes more than one mechanism for authenticating the
client, or is otherwise malformed.
Client authentication failed (e.g., unknown client, no
client authentication included, or unsupported
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
The client is not authorized by Oura server to make the request.
The authorization grant type you have provided is not supported by Oura
The scope you have requested is invalid, unknown, malformed, or
exceeds the scope granted by the Oura API.
The access token provided is expired, revoked, malformed, or