Exceptions¶
All library-specific failures are expressed as LitestarAuthError (or a subclass). Each exception carries a human-readable message and a stable code string. The library's machine-readable codes live on the ErrorCode StrEnum: member names match their string values, so codes serialize cleanly to JSON and compare naturally to plain strings. The enum includes UNKNOWN, used as the default for base LitestarAuthError instances and as the JSON code fallback for plugin-owned auth routes when a ClientException has no string code in extra.
Concrete types group related failures: AuthenticationError covers login and identity problems (with narrower types such as UserAlreadyExistsError, UserNotExistsError, InvalidPasswordError, InactiveUserError, UnverifiedUserError, and OAuthAccountAlreadyLinkedError). UserAlreadyExistsError accepts keyword-only duplicate context via identifier=UserIdentifier(...), mirrors that payload onto identifier_type and identifier_value, and keeps the default message generic so public responses do not reveal the colliding identifier. InvalidPasswordError keeps optional operator-only user_id context and uses the same keyword-only constructor shape. OAuthAccountAlreadyLinkedError carries the conflicting provider identity on the exception instance via provider, account_id, and existing_user_id, and its default message includes that context for operator-facing logs. TokenError covers token lifecycle issues (for example InvalidVerifyTokenError and InvalidResetPasswordTokenError). AuthorizationError is raised when the caller is authenticated but not permitted; structured role-guard failures use the dedicated INSUFFICIENT_ROLES code, and structured permission-guard failures use INSUFFICIENT_PERMISSIONS while keeping required/granted permission names off default messages. ConfigurationError indicates invalid plugin or library configuration. Not every ErrorCode has a dedicated exception class—some codes are used directly where a shared shape is enough.
The bundled HTTP controllers translate these exceptions into HTTP responses (status codes and structured error payloads) without manual mapping in typical apps. For a table of codes, HTTP mapping, and user-facing messages, see Errors reference. The same ErrorCode may appear with different HTTP statuses depending on context — for example, TOKEN_PROCESSING_FAILED is usually 401 or 400 for invalid tokens, and 503 when denylist storage cannot accept a required revocation or pending-JTI write under capacity pressure (see the errors reference and Security).
litestar_auth.exceptions
¶
Custom exception hierarchy for litestar-auth.
ApiKeyError(message=None, code=None)
¶
Bases: LitestarAuthError
Raised when an API-key manager operation fails.
Source code in litestar_auth/exceptions.py
ApiKeyLimitReachedError(*, max_keys_per_user, message=None, code=None)
¶
Bases: ApiKeyError
Raised when a user has reached the configured active API-key limit.
Initialize the limit error with structured policy context.
Source code in litestar_auth/exceptions.py
ApiKeyNotFoundError(message=None, code=None)
¶
Bases: ApiKeyError
Raised when an API key cannot be found in the caller's ownership scope.
Source code in litestar_auth/exceptions.py
ApiKeyScopeDeniedError(*, denied_scopes, message=None, code=None)
¶
Bases: ApiKeyError
Raised when requested API-key scopes are outside the configured whitelist.
Initialize the scope-denial error with structured scope context.
Source code in litestar_auth/exceptions.py
AuthenticationError(message=None, code=None)
¶
Bases: LitestarAuthError
Raised when authentication fails.
Source code in litestar_auth/exceptions.py
AuthorizationError(message=None, code=None)
¶
Bases: LitestarAuthError
Raised when an authenticated user is not allowed to perform an action.
Source code in litestar_auth/exceptions.py
ConfigurationError(message=None, code=None)
¶
Bases: LitestarAuthError
Raised when the library is configured incorrectly.
Source code in litestar_auth/exceptions.py
ExpiredOrganizationInvitationTokenError(message=None, code=None)
¶
Bases: InvalidOrganizationInvitationTokenError
Raised when an organization invitation token or row is expired.
Source code in litestar_auth/exceptions.py
InactiveUserError(message=None, code=None)
¶
Bases: AuthenticationError
Raised when an operation requires an active account.
Source code in litestar_auth/exceptions.py
InsufficientOrganizationPermissionsError(*, required_permissions, granted_permissions, require_all, message=None, code=None)
¶
Bases: InsufficientPermissionsError
Raised when a user does not satisfy an organization permission check.
Initialize the organization permission-denial error with structured permission context.
Source code in litestar_auth/exceptions.py
InsufficientOrganizationRolesError(*, required_roles, user_roles, require_all, message=None, code=None)
¶
Bases: InsufficientRolesError
Raised when a user does not satisfy an organization role check.
Initialize the organization role-denial error with structured role context.
Source code in litestar_auth/exceptions.py
InsufficientPermissionsError(*, required_permissions, granted_permissions, require_all, message=None, code=None)
¶
Bases: AuthorizationError
Raised when a user does not satisfy a permission-based authorization check.
Initialize the permission-denial error with structured permission context.
Source code in litestar_auth/exceptions.py
InsufficientRolesError(*, required_roles, user_roles, require_all, message=None, code=None)
¶
Bases: AuthorizationError
Raised when a user does not satisfy a role-based authorization check.
Initialize the role-denial error with structured role context.
Source code in litestar_auth/exceptions.py
InvalidOrganizationInvitationTokenError(message=None, code=None)
¶
Bases: OrganizationAdminError
Raised when an organization invitation token or row state is invalid.
Source code in litestar_auth/exceptions.py
InvalidPasswordError(*, user_id=None, message=None, code=None)
¶
Bases: AuthenticationError
Raised when a password does not match the stored credentials.
Optional user_id context is stored on the instance for operator logging
without changing the response message sent to clients.
Initialize the invalid-password error with optional operator-only context.
Source code in litestar_auth/exceptions.py
InvalidResetPasswordTokenError(message=None, code=None)
¶
Bases: TokenError
Raised when a password reset token is invalid or expired.
Source code in litestar_auth/exceptions.py
InvalidVerifyTokenError(message=None, code=None)
¶
Bases: TokenError
Raised when an email verification token is invalid or expired.
Source code in litestar_auth/exceptions.py
LitestarAuthError(message=None, code=None)
¶
Bases: Exception
Base exception for all library-specific errors.
Initialize the exception with a default or custom message and explicit or inherited code.
Source code in litestar_auth/exceptions.py
OAuthAccountAlreadyLinkedError(*, provider, account_id, existing_user_id, message=None, code=None)
¶
Bases: AuthenticationError
Raised when an OAuth provider identity is already linked to another user.
Persistence layer refuses cross-user rebinding: one provider identity (oauth_name, account_id) can only be linked to a single local user.
Initialize the linked-account conflict with provider context.
Source code in litestar_auth/exceptions.py
OrganizationAdminError(message=None, code=None)
¶
Bases: LitestarAuthError
Raised when an organization-admin operation fails.
Concrete subclasses carry a specific default_code; the base keeps the
generic ErrorCode.UNKNOWN inherited from :class:LitestarAuthError.
Source code in litestar_auth/exceptions.py
OrganizationAlreadyExistsError(message=None, code=None)
¶
Bases: OrganizationAdminError
Raised when an organization slug is already assigned.
Source code in litestar_auth/exceptions.py
OrganizationInvitationEmailMismatchError(message=None, code=None)
¶
Bases: InvalidOrganizationInvitationTokenError
Raised when the authenticated user does not own the invited email address.
Source code in litestar_auth/exceptions.py
OrganizationLastPrivilegedMemberError(message=None, code=None)
¶
Bases: OrganizationAdminError
Raised when an operation would remove the final privileged organization member.
Source code in litestar_auth/exceptions.py
OrganizationMembershipAlreadyExistsError(message=None, code=None)
¶
Bases: OrganizationAdminError
Raised when an organization membership already exists.
Source code in litestar_auth/exceptions.py
OrganizationMembershipNotFoundError(message=None, code=None)
¶
Bases: OrganizationAdminError
Raised when an organization membership lookup target is unknown.
Source code in litestar_auth/exceptions.py
OrganizationNotFoundError(message=None, code=None)
¶
Bases: OrganizationAdminError
Raised when an organization-admin lookup target is unknown.
Source code in litestar_auth/exceptions.py
RefreshSessionNotFoundError(message=None, code=None)
¶
Bases: TokenError
Raised when a user-scoped refresh session cannot be found.
Source code in litestar_auth/exceptions.py
SecurityWarning
¶
Bases: UserWarning
Warning emitted for security-sensitive insecure defaults.
SessionManagementUnsupportedError(message=None, code=None)
¶
Bases: TokenError
Raised when a strategy cannot manage refresh sessions.
Source code in litestar_auth/exceptions.py
TokenError(message=None, code=None)
¶
Bases: LitestarAuthError
Raised when token operations fail.
Source code in litestar_auth/exceptions.py
UnverifiedUserError(message=None, code=None)
¶
Bases: AuthenticationError
Raised when an operation requires a verified account.
Source code in litestar_auth/exceptions.py
UserAlreadyExistsError(*, identifier=None, message=None, code=None)
¶
Bases: AuthenticationError
Raised when creating a user that already exists.
Duplicate identifier context is stored on the exception instance for
operator logging, but the generated default message stays generic. The
public register controller further maps this exception to the shared
REGISTER_FAILED response so callers cannot distinguish duplicate
identifiers from other registration failures.
Initialize the duplicate-user error with optional identifier context.
Source code in litestar_auth/exceptions.py
UserNotExistsError(message=None, code=None)
¶
Bases: AuthenticationError
Raised when a requested user cannot be found.
Source code in litestar_auth/exceptions.py
totp_stepup_required_exception()
¶
Return the stable 403 client response for missing recent TOTP verification.