When going through the Intuit technical review, Intuit has indicated that we need to check within our app to make sure the OAuth token is still valid.
So far I've found at least two different return codes that can happen when an OAuth token is invalid - are there more than just two? What other return codes should we be looking for?
Found so far:
The only HTTP status that should be used is 401 Unauthorized. Any other response status is either a bug or a faulty implementation of the specification on Intuit's side.
It may be that the token is valid, just not for the resource that you are trying to access. In these cases it is good to be pragmatic and really specify for the API consumer WHY they get a 401. It is perhaps this scenario that Intuit covers with a 200 + error code. But this is just a guess.