We’re using client credentials hooks and want to reject authorisation on certain conditions. It appears that we can do this in the hook by simply passing back a string as the first argument to the callback, which appears as the error description when consumers call /oauth/token endpoint. However, this returns a status code of 500. In our case a 403 is probably a better choice.
Is there a way to control the returned status code?
It seems passing back an error like new UnauthorizedError('some error') like some of the rule examples still returns a 500 status code but a worse error description of Script generated an unhandled asynchronous exception.
Also some more examples or documentation around hooks would be awesome.