Docs

Authentication errors

An index of Clerk errors related to authentication, such as when a Clerk Secret Key is invalid, or when a request is not authenticated.

InvalidClerkSecretKey

Signifies an error when the supplied client key is invalid.

{
  "shortMessage": "The provided Clerk Secret Key is invalid. Make sure that your Clerk Secret Key is correct.",
  "code": "clerk_key_invalid_code"
}

InvalidAuthentication

Signifies an error when the request is not authenticated.

{
  "shortMessage": "Invalid authentication",
  "longMessage": "Unable to authenticate the request, you need to supply an active session",
  "code": "authentication_invalid_code"
}

InvalidAuthorizationHeaderFormat

Signifies an error when the Authorization header has no proper format.

{
  "shortMessage": "Invalid Authorization header format",
  "longMessage": "Invalid Authorization header format. Must be 'Bearer <YOUR_API_KEY>'",
  "code": "authorization_header_format_invalid_code"
}

InvalidAuthorization

Signifies an error when the request is not authorized to perform the given operation.

{
  "shortMessage": "Unauthorized request",
  "longMessage": "You are not authorized to perform this request",
  "code": "authorization_invalid_code"
}

InvalidCSRFToken

Signifies an error when the request does not contain a CSRF token or the given token is invalid.

{
  "shortMessage": "Invalid or missing CSRF token",
  "longMessage": "To protect against CSRF attacks, the given request must include a valid CSRF token.",
  "code": "invalid_csrf_token_code"
}

MissingRequestHeaders

Signifies an error when the incoming request is missing mandatory headers.

For standard browsers

{
  "shortMessage": "Invalid request headers",
  "longMessage": "Your Clerk Frontend API is accessible from browsers and native applications. To protect against standard web attacks, the HTTP Origin header is required in browser requests. If you see this error, you probably accessed Clerk Frontend API directly from the address bar or a browser extension is intercepting your browser requests, removing the HTTP Origin header. For more information refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin.",
  "code": "request_header_missing_code"
}
{
  "shortMessage": "Invalid request headers",
  "longMessage": "Your Clerk Frontend API is accessible from browsers and native applications. To protect against common web attacks, we require the HTTP Authorization header to be present in native application requests. Make sure the HTTP Authorization header is set a valid Clerk client JWT or set it to an empty string for your first Frontend API request that will return your Clerk client JWT.",
  "code": "request_header_missing_code"
}

InvalidOriginHeader

Signifies an error when the origin header of the incoming request is invalid.

{
  "shortMessage": "Invalid HTTP Origin header",
  "longMessage": "The Request HTTP Origin header must be equal to or a subdomain of the requesting URL.",
  "code": "origin_invalid_code"
}

DevBrowserUnauthenticated

Signifies an error when the dev browser is not authenticated.

{
  "shortMessage": "Browser unauthenticated",
  "longMessage": "Unable to authenticate this browser for your development instance. Check your Clerk cookies and try again. If the issue persists reach out to support@clerk.com.",
  "code": "dev_browser_unauthenticated_code"
}

URLBasedSessionSyncingDisabled

Signifies an error when the incoming request attempts to use an endpoint with URL-based session syncing, when the instance operates with third-party cookies instead.

{
  "shortMessage": "URL-based session syncing is disabled for this instance",
  "longMessage": "This is a development instance operating with legacy, third-party cookies. To enable URL-based session syncing refer to https://clerk.com/docs/upgrade-guides/url-based-session-syncing.",
  "code": "url_based_session_syncing_disabled_code"
}

InvalidRequestForEnvironment

Signifies an error when the incoming request is invalid for given environment(s).

{
  "shortMessage": "Invalid request for environment",
  "longMessage": "Request only valid for <envTypesAsString> instances.",
  "code": "request_invalid_for_environment_code"
}

RequestInvalidForInstance

Signifies an error when the incoming request is invalid for the given instance, due to the auth_config.

{
  "shortMessage": "Invalid request for instance",
  "longMessage": "This request is not valid for your instance. Modify your instance settings to use this request.",
  "code": "request_invalid_for_instance_code"
}

InvalidHost

Signifies an error when the incoming request has an invalid host.

{
  "shortMessage": "Invalid host",
  "longMessage": "We were unable to attribute this request to an instance running on Clerk. Make sure that your Clerk Publishable Key is correct.",
  "code": "host_invalid_code"
}

IdentificationExists

Signifies an error when the identifier already exists.

External account exists

{
  "shortMessage": "already exists",
  "longMessage": "This external account already exists.",
  "code": "external_account_exists_code"
}
{
  "shortMessage": "already exists",
  "longMessage": "This email address already exists.",
  "code": "email_address_exists_code"
}
{
  "shortMessage": "already exists",
  "longMessage": "This phone number already exists.",
  "code": "phone_number_exists_code"
}
{
  "shortMessage": "already exists",
  "longMessage": "This username already exists.",
  "code": "username_exists_code"
}
{
  "shortMessage": "already exists",
  "longMessage": "This SAML account already exists.",
  "code": "external_account_exists_code"
}

IdentifierNotAllowedAccess

Signifies an error when the identifier provided is not allowed to access the application.

{
  "shortMessage": "Access not allowed.",
  "longMessage": "You are not allowed to access this application.",
  "code": "identifier_not_allowed_access_code"
}

SignedOut

Signifies an error when a user is signed out.

{
  "shortMessage": "Signed out",
  "longMessage": "You are signed out",
  "code": "signed_out_code"
}

InvalidUserSettings

Signifies an error where the auth settings of the instance are not well configured, which results in sign in and sign up endpoints to be restricted.

{
  "shortMessage": "invalid auth configuration",
  "longMessage": "The authentication settings are invalid.",
  "code": "invalid_user_settings_code"
}

InvalidHandshake

Signifies an error when the handshake request is invalid.

{
  "shortMessage": "invalid handshake",
  "longMessage": "The handshake request is invalid: <REASON>",
  "code": "invalid_handshake_code"
}

Feedback

What did you think of this content?

Last updated on