auth.token_invalid
The magic-link token failed signature verification or shape check and cannot be trusted.
auth.token_invalid is returned when the presented magic-link token fails HMAC signature verification or does not conform to the expected shape. This is distinct from auth.token_expired (timing) and auth.token_used (replay).
The token was tampered with, truncated, or constructed outside the platform. It may also appear if the token was URL-decoded incorrectly by an intermediary before reaching the endpoint.
Request a new magic-link. Ensure the full token string (including any = padding) is passed without re-encoding or stripping characters.
{
"error": {
"code": "auth.token_invalid",
"message": "magic-link token failed verification",
"request_id": "req_01900000abc"
}
}