diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index baae3d254..39b888c15 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -17,13 +17,13 @@ async function verifyToken(accessToken) {
     assert.strictEqual(typeof accessToken, 'string');
 
     const token = await tokens.getByAccessToken(accessToken);
-    if (!token) throw new BoxError(BoxError.INVALID_CREDENTIALS);
+    if (!token) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'No such token');
 
     const [error, user] = await safe(userGet(token.identifier));
-    if (error && error.reason === BoxError.NOT_FOUND) throw new BoxError(BoxError.INVALID_CREDENTIALS);
+    if (error && error.reason === BoxError.NOT_FOUND) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'User not found');
     if (error) throw error;
 
-    if (!user.active) throw new BoxError(BoxError.INVALID_CREDENTIALS);
+    if (!user.active) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'User not active');
 
     await safe(tokens.update(token.id, { lastUsedTime: new Date() })); // ignore any error
 
diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js
index 5e1f545fb..7aac11e8d 100644
--- a/src/routes/accesscontrol.js
+++ b/src/routes/accesscontrol.js
@@ -93,10 +93,10 @@ async function tokenAuth(req, res, next) {
         }
     }
 
-    if (!token) return next(new HttpError(401, 'Unauthorized'));
+    if (!token) return next(new HttpError(401, 'Token required'));
 
     const [error, user] = await safe(accesscontrol.verifyToken(token));
-    if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
+    if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message));
     if (error) return next(new HttpError(500, error.message));
 
     req.access_token = token; // used in logout route
@@ -120,10 +120,10 @@ function authorize(requiredRole) {
 async function websocketAuth(requiredRole, req, res, next) {
     assert.strictEqual(typeof requiredRole, 'string');
 
-    if (typeof req.query.access_token !== 'string') return next(new HttpError(401, 'Unauthorized'));
+    if (typeof req.query.access_token !== 'string') return next(new HttpError(401, 'access_token must be a string'));
 
     const [error, user] = await safe(accesscontrol.verifyToken(req.query.access_token));
-    if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
+    if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message));
     if (error) return next(new HttpError(500, error.message));
 
     req.user = user;