Common Errors
| Symptom | Likely cause | Fix |
|---|---|---|
invalid_request: Request object required for this client | Your client is configured to require signed requests, but you sent an unsigned request. | Send a signed request object (JAR). |
invalid_request: Unsigned request objects not allowed for this client | You passed a request with alg=none to a signed-request client. | Sign the request object with your registered key. |
invalid_request: No jwt authkey configured for client | No public key is registered for your client. | Register your signing public key via iPortal (see Registering). |
invalid_request: Missing nbf / scope / redirect_uri | A required claim is absent from the signed request object. | Include nbf, scope, and redirect_uri inside the JWT (see JAR). |
invalid_scope: Invalid scope | A scope in your request is not recognized. | Check the spelling of the faceauth_* scope (see Scopes) against the discovery document's scopes_supported. |
invalid_request: Invalid or expired request_uri | The PAR request_uri was reused or has expired. | Push a fresh PAR request; it is single-use and short-lived. |
invalid_request: Unregistered redirect_uri | The redirect_uri is not on your client's allow-list. | Register the exact URI (see Redirect URIs); match it exactly (trailing slash matters). |
invalid_client: Invalid client credentials | Wrong/missing client authentication. | Check your method and credentials (see Client Authentication). |
invalid_grant at the token endpoint | Code expired/reused, PKCE verifier mismatch, or redirect_uri mismatch. | Exchange the code promptly and once; send the matching code_verifier and identical redirect_uri. |
Profile delete/reset rejected mentioning a shared configuration | Your account runs on the shared default service configuration. | Contact iProov to provision a dedicated configuration (see User Management). |
| ID-token validation fails | Wrong issuer/audience, clock skew, or wrong key. | Read iss/jwks_uri from discovery; allow small clock skew; check aud == client_id. |
For OAuth/OIDC errors generally, the JSON body carries error and error_description.