I found this question on the old forum about a specific error: https://auth0.com/forum/t/password-policy-error-message/1302 . In the answer it is stated that the error codes from the management API are generic types of errors and only the actual message can be used to determine what the specific error is.
Is this still the case - shall we still use the messages to determine the specific type of error?
The Management API can return the same status code for various types of errors. These can be seen in the Management API explorer.
As an example, the responses for the GET users call include:
400 Invalid request query string. The message will vary depending on the cause.
400 The 'q' parameter is available only if you specify 'search_engine=v2'
401 Invalid token.
401 Client is not global.
401 Invalid signature received for JSON Web Token validation
As you can see, the 400 and 401 codes are used for different reasons - you should check the response messages for the specific errors.
Yes, it can return the same status code and even message for different errors. What I’m asking about is the JSON in the response. It has an errorCode and a message field. If you read the post I linked to, you will see that Auth0 is indicating that we need to determine the type of error based on the human readable message field in the JSON. As this smells, I wanted to make sure that this is still the official advice and I’m not missing something.