API Troubleshooting Guide
π Authentication Error: Invalid or Modified Scope
Symptom
Fail to get a proper auth token.
Possible Cause
Our API enforces a single, fixed scope. If you try to change it, or mistype it, the authorization server will reject your request. This scope will give you full access to the API.
Fixed scope:
urn:zitadel:iam:org:project:id:314876184947078893:aud
Resolution
- Use the exact scope value
Do not alter or shorten the string. For example, your token request must include:curl -X POST https://auth.questback.com/oauth/token -d 'grant_type=client_credentials' -d 'scope=urn:zitadel:iam:org:project:id:314876184947078893:aud' -u CLIENT_ID:CLIENT_SECRET - Check for typos or encoding issues
- No extra spaces, missing colons, or URL-encoding of
:. - If youβre building the URL programmatically, verify your string literal exactly matches the fixed scope.
- No extra spaces, missing colons, or URL-encoding of
π Authentication Error: Invalid Client ID (404 Not Found)
Symptom
When requesting an access token with an incorrect client ID, you could receive an error like:
{"error":"invalid_client","error_description":"client not found"}
Cause
The authorization server cannot find a matching client using the provided credentials. This typically happens if:
- The
CLIENT_IDis mistyped or does not exist. - The client has been deleted or disabled in Essentials.
Resolution
-
Verify your Client ID
- Copy the
CLIENT_IDdirectly from the Essentials Api login setup. - Ensure there are no extra characters, missing letters, or spaces.
echo -n "YOUR_CLIENT_ID" | od -c - Copy the
-
Check the authentication endpoint
- Confirm youβre pointing to the correct domain:
https://auth.questback.com/oauth/v2/token
- Confirm youβre pointing to the correct domain:
-
Validate credentials usage
- Use the right combination of
CLIENT_IDandCLIENT_SECRET:curl -X POST https://auth.questback.com/oauth/v2/token -d 'grant_type=client_credentials' -d 'scope=urn:zitadel:iam:org:project:id:314876184947078893:aud' -u YOUR_CLIENT_ID:YOUR_CLIENT_SECRET
- Use the right combination of
-
Regenerate client credentials
- If the ID is correct but the error persists, create a new Api Login in Essentials and update your application with the new
CLIENT_IDandCLIENT_SECRET.
- If the ID is correct but the error persists, create a new Api Login in Essentials and update your application with the new
π Authentication Error: Invalid Client Secret
Symptom
When requesting an access token with an incorrect client secret, you could receive an error like:
{"error":"invalid_request","error_description":"Errors.User.Machine.Secret.Invalid"}
Cause
The authorization server could not validate the client credentials because the provided client secret is invalid. This happens if:
- The
CLIENT_SECRETis mistyped, truncated, or otherwise incorrect. - You're using credentials from the wrong client or environment.
- The secret was regenerated in the Essentials web application.
Resolution
- Verify your Client Secret
- Copy the
CLIENT_SECRETdirectly from the Essentials Api login setup page. - Ensure there are no missing characters, extra whitespace, or URL-encoding issues.
echo -n "YOUR_CLIENT_SECRET" | od -c - Copy the
- Check the client pairing
- Confirm that youβre using the matching
CLIENT_IDandCLIENT_SECRET. - Example:
curl -X POST https://auth.questback.com/oauth/token -d 'grant_type=client_credentials' -d 'scope=urn:zitadel:iam:org:project:id:314876184947078893:aud' -u YOUR_CLIENT_ID:YOUR_CLIENT_SECRET - Confirm that youβre using the matching
- Regenerate the client secret
- In Essentials web application, regenerate the secret for your client.
- Update your application configuration with the new secret.
