Sigma Auth
Reference

Error Response Format

All Sigma Auth API endpoints return errors in a standardized format following OAuth 2.0 conventions:

error-format.json
{
  "error": "error_code",
  "error_description": "Human-readable description of the error",
  "error_uri": "https://sigmaidentity.com/docs/errors#error_code"
}

HTTP Status Codes

Status CodeDescription
200Success
400Bad Request - Invalid parameters
401Unauthorized - Authentication required
403Forbidden - Access denied
404Not Found - Resource not found
429Too Many Requests - Rate limit exceeded
500Internal Server Error
503Service Unavailable

OAuth 2.0 Errors

Authorization Endpoint Errors

invalid_request

invalid-request-error.json
{
  "error": "invalid_request",
  "error_description": "Missing required parameter: client_id"
}

Common causes:

  • Missing required parameters (client_id, redirect_uri, response_type)
  • Invalid parameter format
  • Malformed request

unauthorized_client

unauthorized-client-error.json
{
  "error": "unauthorized_client",
  "error_description": "Client is not authorized to use this authorization grant type"
}

Common causes:

  • Unregistered client ID
  • Client not authorized for requested grant type

access_denied

access-denied-error.json
{
  "error": "access_denied",
  "error_description": "User denied the authorization request"
}

Common causes:

  • User clicked "Cancel" or "Deny"
  • User failed authentication
  • Account suspended

unsupported_response_type

{
  "error": "unsupported_response_type",
  "error_description": "Response type 'token' is not supported"
}

Common causes:

  • Using unsupported response type (only code is supported)

invalid_scope

{
  "error": "invalid_scope",
  "error_description": "Requested scope 'admin' is not available"
}

Common causes:

  • Requesting non-existent scope
  • Requesting scope not authorized for client

server_error

{
  "error": "server_error",
  "error_description": "The authorization server encountered an unexpected condition"
}

temporarily_unavailable

{
  "error": "temporarily_unavailable",
  "error_description": "The authorization server is currently unable to handle the request"
}

Token Endpoint Errors

invalid_request

{
  "error": "invalid_request",
  "error_description": "Missing required parameter: code"
}

invalid_client

{
  "error": "invalid_client",
  "error_description": "Client authentication failed"
}

invalid_grant

{
  "error": "invalid_grant",
  "error_description": "Authorization code is invalid or expired"
}

Common causes:

  • Expired authorization code (codes expire after 10 minutes)
  • Code already used (codes are single-use)
  • Invalid code format

unauthorized_client

{
  "error": "unauthorized_client",
  "error_description": "Client is not authorized to use this grant type"
}

unsupported_grant_type

{
  "error": "unsupported_grant_type",
  "error_description": "Grant type 'password' is not supported"
}

invalid_scope

{
  "error": "invalid_scope",
  "error_description": "Requested scope exceeds authorized scope"
}

Bitcoin Authentication Errors

Signature Verification Errors

invalid_signature

{
  "error": "invalid_signature",
  "error_description": "Bitcoin signature verification failed"
}

Common causes:

  • Invalid signature format
  • Signature doesn't match message
  • Wrong private key used

invalid_timestamp

{
  "error": "invalid_timestamp",
  "error_description": "Signature timestamp is too old or too far in the future"
}

Common causes:

  • System clock drift
  • Replay attack attempt
  • Timestamp format errors

invalid_public_key

{
  "error": "invalid_public_key",
  "error_description": "Public key is not a valid secp256k1 point"
}

Common causes:

  • Malformed public key
  • Wrong curve (not secp256k1)
  • Corrupted key data

missing_auth_token

{
  "error": "missing_auth_token",
  "error_description": "X-Auth-Token header is required for Bitcoin authentication"
}

malformed_auth_token

{
  "error": "malformed_auth_token",
  "error_description": "Auth token format is invalid"
}

Expected format: sigma:address:signature_data

API-Specific Errors

User Info Endpoint

invalid_token

{
  "error": "invalid_token",
  "error_description": "Access token is invalid or expired"
}

insufficient_scope

{
  "error": "insufficient_scope",
  "error_description": "Token does not have required scope for this resource"
}

Backup Service Errors

backup_not_found

{
  "error": "backup_not_found",
  "error_description": "No backup found for this user"
}

backup_too_large

{
  "error": "backup_too_large",
  "error_description": "Backup size exceeds maximum allowed limit of 1MB"
}

invalid_backup_format

{
  "error": "invalid_backup_format",
  "error_description": "Backup data is not properly formatted"
}

encryption_required

{
  "error": "encryption_required",
  "error_description": "Backup data must be encrypted before storage"
}

Rate Limiting Errors

rate_limit_exceeded

{
  "error": "rate_limit_exceeded",
  "error_description": "Too many requests. Please try again later.",
  "retry_after": 60
}

Response Headers:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1642248600
Retry-After: 60

Provider-Specific Errors

Google OAuth Errors

google_auth_failed

{
  "error": "google_auth_failed",
  "error_description": "Google authentication was unsuccessful",
  "provider_error": "access_denied"
}

GitHub OAuth Errors

github_auth_failed

{
  "error": "github_auth_failed",
  "error_description": "GitHub authentication was unsuccessful",
  "provider_error": "application_suspended"
}

Error Handling Strategies

Client-Side Error Handling

error-handler.ts
interface SigmaAuthError {
    error: string;
    error_description: string;
    error_uri?: string;
    retry_after?: number;
    provider_error?: string;
}

class SigmaAuthClient {
    async handleError(response: Response): Promise<never> {
        const error: SigmaAuthError = await response.json();
        
        switch (error.error) {
            case 'rate_limit_exceeded':
                const retryAfter = error.retry_after || 60;
                throw new RateLimitError(error.error_description, retryAfter);
                
            case 'invalid_grant':
                // Authorization code expired or invalid
                throw new AuthorizationError(error.error_description);
                
            case 'access_denied':
                // User denied access
                throw new AccessDeniedError(error.error_description);
                
            case 'invalid_signature':
                // Bitcoin signature verification failed
                throw new SignatureError(error.error_description);
                
            default:
                throw new SigmaAuthError(error.error, error.error_description);
        }
    }
}

Retry Logic

retry-logic.ts
const retryWithBackoff = async (
    operation: () => Promise<Response>,
    maxRetries: number = 3
): Promise<Response> => {
    for (let attempt = 1; attempt <= maxRetries; attempt++) {
        try {
            const response = await operation();
            
            if (response.ok) {
                return response;
            }
            
            if (response.status === 429) {
                // Rate limited - check retry-after header
                const retryAfter = response.headers.get('retry-after');
                const delay = retryAfter ? parseInt(retryAfter) * 1000 : Math.pow(2, attempt) * 1000;
                
                if (attempt < maxRetries) {
                    await new Promise(resolve => setTimeout(resolve, delay));
                    continue;
                }
            }
            
            if (response.status >= 500 && attempt < maxRetries) {
                // Server error - retry with exponential backoff
                const delay = Math.pow(2, attempt) * 1000;
                await new Promise(resolve => setTimeout(resolve, delay));
                continue;
            }
            
            return response;
        } catch (error) {
            if (attempt === maxRetries) {
                throw error;
            }
            
            // Network error - retry with exponential backoff
            const delay = Math.pow(2, attempt) * 1000;
            await new Promise(resolve => setTimeout(resolve, delay));
        }
    }
    
    throw new Error('Max retries exceeded');
};

Error Recovery

error-recovery.ts
const authenticateWithRecovery = async (provider: string) => {
    try {
        return await authenticate(provider);
    } catch (error) {
        if (error instanceof AuthorizationError) {
            // Clear stored authorization code and retry
            clearStoredAuthCode();
            return await authenticate(provider);
        }
        
        if (error instanceof SignatureError) {
            // Regenerate signature with current timestamp
            return await authenticateWithNewSignature(provider);
        }
        
        if (error instanceof RateLimitError) {
            // Wait for rate limit to reset
            await new Promise(resolve => 
                setTimeout(resolve, error.retryAfter * 1000)
            );
            return await authenticate(provider);
        }
        
        throw error;
    }
};

Debugging Errors

Enable Debug Mode

debug-setup.js
// Client-side debugging
localStorage.setItem('sigma_debug', 'true');

// This will log additional error details to console

Error Logging

error-logger.ts
const logError = (error: SigmaAuthError, context: any) => {
    const errorData = {
        error: error.error,
        description: error.error_description,
        timestamp: new Date().toISOString(),
        context: context,
        userAgent: navigator.userAgent,
        url: window.location.href
    };
    
    // Send to logging service
    console.error('Sigma Auth Error:', errorData);
};

Common Debugging Steps

  1. Check Network Tab: Verify request/response details
  2. Validate Parameters: Ensure all required parameters are present
  3. Check Timestamps: Verify system clock is synchronized
  4. Test with Sandbox: Use sandbox environment for testing
  5. Verify Signatures: Use debug tools to validate signature generation

Error Prevention

Best Practices

  1. Validate Input: Check parameters before making API calls
  2. Handle Timeouts: Implement proper timeout handling
  3. Store State Securely: Protect OAuth state parameters
  4. Synchronize Clocks: Ensure accurate timestamps
  5. Monitor Rate Limits: Track API usage to avoid limits

Pre-flight Validation

request-validation.ts
const validateAuthRequest = (params: AuthParams): void => {
    if (!params.client_id) {
        throw new Error('client_id is required');
    }
    
    if (!params.redirect_uri) {
        throw new Error('redirect_uri is required');
    }
    
    if (!isValidUrl(params.redirect_uri)) {
        throw new Error('redirect_uri must be a valid HTTPS URL');
    }
    
    if (params.provider && !['sigma', 'google', 'github'].includes(params.provider)) {
        throw new Error('Invalid provider specified');
    }
};

Support

For additional help with errors: