diff --git a/src/auth.rs b/src/auth.rs
index 7a57701..fd2c405 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -1,6 +1,7 @@
 use std::sync::Arc;
 
 use rand::{seq::IteratorRandom, thread_rng};
+use thiserror::Error;
 use tokio::sync::Mutex;
 use tracing::{event, instrument, Level};
 
@@ -9,6 +10,18 @@ use crate::{
     secrets::{Password, UserToken},
 };
 
+#[derive(Debug, Error)]
+pub enum AuthenticationError {
+    #[error("Invalid username or password")]
+    InvalidUserOrPassword,
+    #[error("Invalid token")]
+    InvalidToken,
+    #[error("Invalid server hash")]
+    InvalidServerHash,
+    #[error("Authentication backend error")]
+    Backend(#[from] sqlx::Error),
+}
+
 #[derive(Debug)]
 pub struct Authenticator {
     db: Arc<Mutex<SqliteDatabase>>,
@@ -41,13 +54,16 @@ impl Authenticator {
     }
 
     #[instrument]
-    pub async fn verify_user_token(&self, username: &str, token: &UserToken) -> Result<(), ()> {
+    pub async fn verify_user_token(
+        &self,
+        username: &str,
+        token: &UserToken,
+    ) -> Result<(), AuthenticationError> {
         let mut db = self.db.lock().await;
 
         // TODO: (in db) distinguish between invalid token and SQLX error
-        match db.get_token(username).await {
-            Ok(_) => Ok(()),
-            Err(_) => Err(()),
-        }
+        db.get_token(username).await?;
+
+        Ok(())
     }
 }