There are many cases where invalid input sent as HTTP parameters (such as modifying or re-using the tokens returned) throw fatal errors instead of returning 400 (or similar) responses.