Skip to main content

Error codes

This page lists the SSO (OAuth) error codes the broker's CRM must return for the calls cTrader makes into it (cTrader → broker) — for example, verifying and exchanging an OT token or validating a long-term access token. Each endpoint entry in the reference links to the codes that apply to it. Endpoints the broker calls into cTrader (broker → cTrader) use a different scheme — see Broker-to-cTrader endpoint statuses below.

Standard HTTP status codes

Status codeDesignationGeneral usage
200OKRequest successful
400Bad RequestInvalid request parameters
403ForbiddenPermission denied
404Not FoundResource not found
410GoneResource expired
417Expectation FailedInvalid or non-existent token

SSO (OAuth) specific error codes

StatusError codeCause
400 Bad RequestNoneAt least one required field is not specified.
403 ForbiddenCH_CLIENT_AUTH_FAILUREInvalid password when requesting the CRM API token, or invalid crmApiToken when verifying and exchanging an OT token, verifying a long-term access token, or generating an OT token for an in-app action.
403 ForbiddenCH_INSUFFICIENT_PERMISSIONSBroker lacks access rights due to manager.disabledBrokerName configuration.
404 Not FoundOT token not foundcode not found in broker's backend (Verify and exchange OT token).
404 Not FoundLong-term access token not foundaccessToken not found in broker's backend (Verify long-term access token).
404 Not FoundUser identifier not founduserId not found in broker's backend (POST /oauth2/onetime/generate).
410 GoneCID_TOKEN_EXPIREDExpired token used to access broker's backend.
417 Expectation FailedCID_NON_EXISTED_TOKENAn invalid token is used to access the broker's backend.

Broker-to-cTrader endpoint statuses

The codes above are returned by the broker's CRM. The reverse-direction endpoints — those the broker calls into cTrader (broker → cTrader), authenticated with the Manager Token — do not use the CID_/CH_ scheme. These include create a trader, link a trading account, change a trader's balance, set a partner identifier, create or update in-app controls and the One-time token handoff redeem endpoint.

These endpoints return standard cID HTTP statuses: 200, 201 or 204 on success, and 401 Unauthorized, 403 Forbidden or 404 Not Found on failure. Note that they report an expired, consumed or non-existent token as 404 Not Found — not as the broker-side 410 CID_TOKEN_EXPIRED or 417 CID_NON_EXISTED_TOKEN — and an authentication failure as 401 Unauthorized rather than 403 CH_CLIENT_AUTH_FAILURE. The redeem endpoint documents its statuses explicitly.