Skip to content

Verification window expired

ERR-P01-IDT-0410 - Verification window expired

Section titled “ERR-P01-IDT-0410 - Verification window expired”

A time-boxed verification artifact (e.g. an email verification code) has aged out and can no longer be redeemed.

  • Reserved for the case where a verification window has demonstrably elapsed and the server is willing to say so explicitly.
  • Note: on the live humans flow, an expired verification code does not surface this code - POST /v1/humans/verify deliberately collapses every failure (no row / wrong code / expired window) into the single oracle-safe ERR-P01-IDT-1100 to avoid leaking which emails exist. This 410 is therefore reserved for non-enumeration-sensitive windows.
  • Request a fresh code via POST /v1/humans/rotate and submit the new one within the 30-minute window.
  • Do not retry the expired code - it is permanently consumed.
  • Reserved - not currently emitted. The expired-window branch of packages/identity/src/service/human.ts (verify, the v.expiresAt <= now check) intentionally throws invalid_credentials (ERR-P01-IDT-1100) instead, for enumeration safety. Declared in packages/spec/identity/errors.tsp as the generic 410.
{
"type": "https://citizenry.id/errors/ERR-P01-IDT-0410",
"title": "Gone",
"status": 410,
"code": "ERR-P01-IDT-0410",
"message": "verification window has expired",
"method": "POST",
"instance": "/v1/humans/verify",
"request_url": "https://api.citizenry.id/v1/humans/verify",
"timestamp": "2026-05-17T07:00:00.000Z"
}
  • 0.1.0 - introduced.