Error codes
This page lists the SSO (OAuth) error codes the broker's CRM must return for the calls cTrader makes into it (cTrader → broker) — for example, verifying and exchanging an OT token or validating a long-term access token. Each endpoint entry in the reference links to the codes that apply to it. Endpoints the broker calls into cTrader (broker → cTrader) use a different scheme — see Broker-to-cTrader endpoint statuses below.
Standard HTTP status codes
| Status code | Designation | General usage |
|---|---|---|
200 | OK | Request successful |
400 | Bad Request | Invalid request parameters |
403 | Forbidden | Permission denied |
404 | Not Found | Resource not found |
410 | Gone | Resource expired |
417 | Expectation Failed | Invalid or non-existent token |
SSO (OAuth) specific error codes
| Status | Error code | Cause |
|---|---|---|
400 Bad Request | None | At least one required field is not specified. |
403 Forbidden | CH_CLIENT_AUTH_FAILURE | Invalid password when requesting the CRM API token, or invalid crmApiToken when verifying and exchanging an OT token, verifying a long-term access token, or generating an OT token for an in-app action. |
403 Forbidden | CH_INSUFFICIENT_PERMISSIONS | Broker lacks access rights due to manager.disabledBrokerName configuration. |
404 Not Found | OT token not found | code not found in broker's backend (Verify and exchange OT token). |
404 Not Found | Long-term access token not found | accessToken not found in broker's backend (Verify long-term access token). |
404 Not Found | User identifier not found | userId not found in broker's backend (POST /oauth2/onetime/generate). |
410 Gone | CID_TOKEN_EXPIRED | Expired token used to access broker's backend. |
417 Expectation Failed | CID_NON_EXISTED_TOKEN | An invalid token is used to access the broker's backend. |
Broker-to-cTrader endpoint statuses
The codes above are returned by the broker's CRM. The reverse-direction endpoints — those the broker calls into cTrader (broker → cTrader), authenticated with the Manager Token — do not use the CID_/CH_ scheme. These include create a trader, link a trading account, change a trader's balance, set a partner identifier, create or update in-app controls and the One-time token handoff redeem endpoint.
These endpoints return standard cID HTTP statuses: 200, 201 or 204 on success, and 401 Unauthorized, 403 Forbidden or 404 Not Found on failure. Note that they report an expired, consumed or non-existent token as 404 Not Found — not as the broker-side 410 CID_TOKEN_EXPIRED or 417 CID_NON_EXISTED_TOKEN — and an authentication failure as 401 Unauthorized rather than 403 CH_CLIENT_AUTH_FAILURE. The redeem endpoint documents its statuses explicitly.