diff --git a/pkg/errors/types.go b/pkg/errors/types.go
index a3a5926d..7437313a 100644
--- a/pkg/errors/types.go
+++ b/pkg/errors/types.go
@@ -42,4 +42,7 @@ var (
 
 	// ErrScanMetadata indicates problem with metadata in db.
 	ErrScanMetadata = New("failed to scan metadata in db")
+
+	// ErrWrongSecret indicates a wrong secret was provided.
+	ErrWrongSecret = New("wrong secret")
 )
diff --git a/users/clients/service.go b/users/clients/service.go
index 057625b9..afc398ca 100644
--- a/users/clients/service.go
+++ b/users/clients/service.go
@@ -111,7 +111,7 @@ func (svc service) IssueToken(ctx context.Context, identity, secret string) (jwt
 		return jwt.Token{}, errors.Wrap(errors.ErrAuthentication, err)
 	}
 	if err := svc.hasher.Compare(secret, dbUser.Credentials.Secret); err != nil {
-		return jwt.Token{}, errors.Wrap(errors.ErrAuthentication, err)
+		return jwt.Token{}, errors.Wrap(errors.ErrWrongSecret, err)
 	}
 
 	claims := jwt.Claims{
@@ -315,7 +315,7 @@ func (svc service) UpdateClientSecret(ctx context.Context, token, oldSecret, new
 		return mfclients.Client{}, err
 	}
 	if _, err := svc.IssueToken(ctx, dbClient.Credentials.Identity, oldSecret); err != nil {
-		return mfclients.Client{}, errors.ErrAuthentication
+		return mfclients.Client{}, err
 	}
 	newSecret, err = svc.hasher.Hash(newSecret)
 	if err != nil {