# Why do I keep getting errors.unknown_or_used when requesting an access_token?

The `code` that is generated when a user goes through the authorization process is restricted in a number of ways. This error means one of two things:

- The code has expired or has already been used

Codes are single use codes that expire in a relatively short time frame. So when if you’re building an auth flow from scratch and not using something like Omniauth, you will need to be careful to request a new code each time you want to test your `access_token` redemption process.

<ol start="2">
- The information passed when redeeming the code doesn’t match the authorization values.

The most common cause of this is that `redirect_uri` value passed to [Request Access Token](/developers/api/authorization/request-token/index.md) doesn’t match that used in the [Authorization Request](/developers/api/authorization/request-authorization/index.md).

You can inspect the token request in your Developer Dashboard and cross-reference that against the preceding authorization request

These restrictions help to mitigate against a `code` don’t end up in the wrong hands.


---
[Read in HTML](/developers/faqs/authorizations/code-unknown-or-used/)