diff --git a/pkg/keystone/tokens/errors.go b/pkg/keystone/tokens/errors.go
index 63f9bdf6cb5..d9552ca4f86 100644
--- a/pkg/keystone/tokens/errors.go
+++ b/pkg/keystone/tokens/errors.go
@@ -14,7 +14,11 @@
 
 package tokens
 
-import "yunion.io/x/pkg/errors"
+import (
+	"yunion.io/x/pkg/errors"
+
+	"yunion.io/x/onecloud/pkg/httperrors"
+)
 
 const (
 	ErrVerMismatch        = errors.Error("version mismatch")
@@ -31,3 +35,19 @@ const (
 	ErrInvalidAccessKeyId = errors.Error("invalid access key id")
 	ErrExpiredAccessKey   = errors.Error("expired access key")
 )
+
+func init() {
+	httperrors.RegisterErrorHttpCode(ErrVerMismatch, 401)
+	httperrors.RegisterErrorHttpCode(ErrProjectDisabled, 401)
+	httperrors.RegisterErrorHttpCode(ErrUserDisabled, 401)
+	httperrors.RegisterErrorHttpCode(ErrInvalidToken, 401)
+	httperrors.RegisterErrorHttpCode(ErrExpiredToken, 401)
+	httperrors.RegisterErrorHttpCode(ErrInvalidFernetToken, 401)
+	httperrors.RegisterErrorHttpCode(ErrInvalidAuthMethod, 401)
+	httperrors.RegisterErrorHttpCode(ErrUserNotFound, 401)
+	httperrors.RegisterErrorHttpCode(ErrDomainDisabled, 401)
+	httperrors.RegisterErrorHttpCode(ErrEmptyAuth, 401)
+	httperrors.RegisterErrorHttpCode(ErrUserNotInProject, 401)
+	httperrors.RegisterErrorHttpCode(ErrInvalidAccessKeyId, 401)
+	httperrors.RegisterErrorHttpCode(ErrExpiredAccessKey, 401)
+}
diff --git a/pkg/keystone/tokens/handlers.go b/pkg/keystone/tokens/handlers.go
index 69b385cee09..9912ca93a40 100644
--- a/pkg/keystone/tokens/handlers.go
+++ b/pkg/keystone/tokens/handlers.go
@@ -19,6 +19,7 @@ import (
 	"net/http"
 
 	"yunion.io/x/jsonutils"
+	"yunion.io/x/log"
 	"yunion.io/x/pkg/errors"
 	"yunion.io/x/pkg/util/rbacscope"
 	"yunion.io/x/sqlchemy"
@@ -66,6 +67,11 @@ func authenticateTokensV2(ctx context.Context, w http.ResponseWriter, r *http.Re
 	}
 	input.Auth.Context = FetchAuthContext(input.Auth.Context, r)
 	token, err := AuthenticateV2(ctx, input)
+	if err != nil {
+		log.Errorf("AuthenticateV2 error %s", err)
+		httperrors.GeneralServerError(ctx, w, err)
+		return
+	}
 	if token == nil {
 		httperrors.UnauthorizedError(ctx, w, "unauthorized %s", err)
 		return
@@ -90,6 +96,7 @@ func authenticateTokensV3(ctx context.Context, w http.ResponseWriter, r *http.Re
 	input.Auth.Context = FetchAuthContext(input.Auth.Context, r)
 	token, err := AuthenticateV3(ctx, input)
 	if err != nil {
+		log.Errorf("AuthenticateV3 error %s", err)
 		switch errors.Cause(err) {
 		case sqlchemy.ErrDuplicateEntry:
 			httperrors.ConflictError(ctx, w, "duplicate username")
diff --git a/pkg/keystone/tokens/token.go b/pkg/keystone/tokens/token.go
index 5a1355fd0e6..fc1c14e329e 100644
--- a/pkg/keystone/tokens/token.go
+++ b/pkg/keystone/tokens/token.go
@@ -346,7 +346,12 @@ func (t *SAuthToken) getTokenV3(
 
 	if len(roles) == 0 {
 		if project != nil || domain != nil {
-			return nil, ErrUserNotInProject
+			if project != nil {
+				return nil, errors.Wrapf(ErrUserNotInProject, "project %q", project.Name)
+			}
+			if domain != nil {
+				return nil, errors.Wrapf(ErrUserNotInProject, "domain %q", domain.Name)
+			}
 		}
 		/*extProjs, err := models.ProjectManager.FetchUserProjects(user.Id)
 		if err != nil {
@@ -453,7 +458,7 @@ func (t *SAuthToken) getTokenV2(
 
 	if len(roles) == 0 {
 		if project != nil {
-			return nil, ErrUserNotInProject
+			return nil, errors.Wrapf(ErrUserNotInProject, "project %q", project.Name)
 		}
 		extProjs, err := models.ProjectManager.FetchUserProjects(user.Id)
 		if err != nil {