Error reference
| HTTP Status | When it happens |
|---|---|
400 Bad Request | Invalid parameters, expired or already-used authorization code, redirect URI mismatch, requested scopes not valid |
401 Unauthorized | Invalid or expired access token, invalid client credentials, expired session on consent screen |
403 Forbidden | Token does not have the required scope for the endpoint being called |
404 Not Found | Token, grant, or app not found |
429 Too Many Requests | Rate limit exceeded. Check the Retry-After header for when to retry |
Common error scenarios
400 redirect URI mismatch
The redirect_uri in the token exchange request doesn’t exactly match the one registered for your app or the one used in the authorization URL. All three must match character-for-character.
400 invalid or expired code
Authorization codes expire after 10 minutes and can only be used once. If exchange fails, start a new authorization flow.
401 token expired
Access tokens expire after 1 hour. Use your refresh token to get a new one. See Token Management.
401 user revoked access
The user removed your app’s access from their Monei settings. Clear the stored tokens and prompt the user to reconnect.
403 missing scope
The access token doesn’t include the scope required for the endpoint. The user didn’t grant that permission. See Partial Grants for how to request it.
Rate limits
| Endpoint | Limit |
|---|---|
POST /connect/token | 10 requests / minute |
GET /connect/authorize | 20 requests / minute |
POST /connect/authorize | 20 requests / minute |
429 response with a Retry-After header indicating how many seconds to wait before retrying.
Error response format
statusCode and message in your error handler. The message field gives you the specific reason in plain English.
Token Management
Handle token expiry and revocation
Security
Production security checklist