#[non_exhaustive]pub enum ErrorKind {
InvalidGrant,
ReauthRequired,
Transport {
retryable: bool,
},
Protocol,
Auth,
DPoP,
Config,
Crypto,
RequestRejected,
Backoff,
}Expand description
Classification of an Error.
Marked #[non_exhaustive]: match with a wildcard arm. Variants are kept
coarse deliberately — additions are non-breaking, removals are not.
Most application code does not need to match individual variants: the three signals described in the error model (retry / re-authenticate / fail) are the intended consumption pattern.
Variants (Non-exhaustive)§
This enum is marked as non-exhaustive
InvalidGrant
RFC 6749 §5.2 invalid_grant — the grant itself is dead.
Seen when driving a grant directly. A token cache absorbs this kind:
it discards the rejected refresh token and reports
ReauthRequired once no token source remains.
ReauthRequired
No token can be obtained without re-running the interactive flow: the refresh token is missing or was definitively rejected, and no usable grant parameters remain.
Transient failures are deliberately not classified as this kind —
they keep their retryable classification (see
Error::is_retryable), since a later call may succeed without user
involvement.
Transport
Transport-level failure.
Fields
retryable: boolIf true, re-sending the request is known to be safe and may
succeed: either the request never reached the server, or it was
declared Idempotency::Idempotent
and the failure was transient. Requests of
unknown idempotency are
only retryable when they provably never reached the server.
Protocol
Malformed or invalid server response.
Auth
Client authentication could not be constructed.
DPoP
DPoP proof construction or handling failed.
Config
Builder, URL, or other setup error.
Crypto
Cryptographic operation failed.
RequestRejected
The request was rejected for its parameters, but the credential is
intact (RFC 6749 §5.2 invalid_scope, RFC 8707 invalid_target).
Recoverable by adjusting the request — narrowing the requested scope, fixing the resource indicator — and retrying with the same credential. Re-authentication does not help, and a token cache deliberately does not discard the parameter source for this kind.
Backoff
No token can be obtained right now, but the source expects the condition
to clear on its own: it is backing off after repeated non-recoverable
failures from scratch (for example an assertion signer that keeps
producing values the server rejects with invalid_grant).
Distinct from its neighbours. Unlike ReauthRequired
it does not call for re-running the interactive flow: a later
automatic call, after the source’s cooldown, may succeed once the
underlying cause is fixed (a rotated signing key, a corrected clock).
Unlike a retryable Transport failure, retrying
immediately will not help — wait for the cooldown before re-attempting.
In short: try again later, without user involvement.