What it means
The caller presented a bearer token that Passport recognizes as previously issued, but its lifetime has elapsed. Distinct fromAUTH_REQUIRED because your refresh_token should still work — you do not need to run a full OAuth consent again.
How to fix
- Exchange your
refresh_tokenfor a newaccess_tokenat the Passport token endpoint. - Retry the original tool call with the new bearer.
- If refresh also fails, fall back to the full OAuth consent flow — the connection may have been revoked.
Response envelope
details is empty for this code.
Related
AUTH_REQUIRED— no valid token was presented at all.CONNECTION_EXPIRED— the Aeris bearer is fine, but a partner OAuth grant behind the tool has lapsed.