diff --git a/zeroidc/Cargo.lock b/zeroidc/Cargo.lock
index 24c126e8c..889142175 100644
--- a/zeroidc/Cargo.lock
+++ b/zeroidc/Cargo.lock
@@ -1500,6 +1500,7 @@ dependencies = [
  "openidconnect",
  "reqwest",
  "serde",
+ "thiserror",
  "time 0.3.5",
  "url",
 ]
diff --git a/zeroidc/Cargo.toml b/zeroidc/Cargo.toml
index e74c9efaa..1ffe3abb7 100644
--- a/zeroidc/Cargo.toml
+++ b/zeroidc/Cargo.toml
@@ -20,6 +20,7 @@ jsonwebtoken = "7.2.0"
 serde = "1.0.130"
 time = { version = "0.3.5", features = ["formatting"] }
 bytes = "1.1.0"
+thiserror = "1"
 
 [build-dependencies]
 cbindgen = "0.20.0"
diff --git a/zeroidc/src/error.rs b/zeroidc/src/error.rs
new file mode 100644
index 000000000..8c2bdf6ac
--- /dev/null
+++ b/zeroidc/src/error.rs
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c)2022 ZeroTier, Inc.
+ *
+ * Use of this software is governed by the Business Source License included
+ * in the LICENSE.TXT file in the project's root directory.
+ *
+ * Change Date: 2025-01-01
+ *
+ * On the date above, in accordance with the Business Source License, use
+ * of this software will be governed by version 2.0 of the Apache License.
+ */
+
+use thiserror::Error;
+
+#[derive(Error, Debug)]
+pub enum ZeroIDCError
+{
+    #[error(transparent)]
+    DiscoveryError(#[from] openidconnect::DiscoveryError<openidconnect::reqwest::Error<reqwest::Error>>),
+
+    #[error(transparent)]
+    ParseError(#[from] url::ParseError),
+}
diff --git a/zeroidc/src/lib.rs b/zeroidc/src/lib.rs
index 5083b44ce..f9ceaabb4 100644
--- a/zeroidc/src/lib.rs
+++ b/zeroidc/src/lib.rs
@@ -10,6 +10,7 @@
  * of this software will be governed by version 2.0 of the Apache License.
  */
 
+pub mod error;
 pub mod ext;
 
 extern crate base64;
@@ -18,6 +19,8 @@ extern crate openidconnect;
 extern crate time;
 extern crate url;
 
+use crate::error::ZeroIDCError;
+
 use bytes::Bytes;
 use jsonwebtoken::{dangerous_insecure_decode};
 use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType};
@@ -96,7 +99,7 @@ impl ZeroIDC {
         client_id: &str,
         auth_ep: &str,
         local_web_port: u16,
-    ) -> Result<ZeroIDC, String> {
+    ) -> Result<ZeroIDC, ZeroIDCError> {
         let idc = ZeroIDC {
             inner: Arc::new(Mutex::new(Inner {
                 running: false,
@@ -114,39 +117,14 @@ impl ZeroIDC {
             })),
         };
 
-        let iss = match IssuerUrl::new(issuer.to_string()) {
-            Ok(i) => i,
-            Err(e) => {
-                println!("Error generating Issuer URL");
-                return Err(e.to_string());
-            }
+        let iss = IssuerUrl::new(issuer.to_string())?;
 
-        };
-
-        let provider_meta = match CoreProviderMetadata::discover(&iss, http_client) {
-            Ok(m) => m,
-            Err(e) => {
-                println!("Error discovering provider metadata");
-                return Err(e.to_string());
-            },
-        };
+        let provider_meta = CoreProviderMetadata::discover(&iss, http_client)?;
 
         let r = format!("http://localhost:{}/sso", local_web_port);
-        let redir_url = match Url::parse(&r) {
-            Ok(s) => s,
-            Err(e) => {
-                println!("Error generating redirect URL");
-                return Err(e.to_string());
-            }
-        };
+        let redir_url = Url::parse(&r)?;
 
-        let redirect = match RedirectUrl::new(redir_url.to_string()) {
-            Ok(s) => s,
-            Err(e) => {
-                println!("Error generating RedirectURL instance from string: {}", redir_url.to_string());
-                return Err(e.to_string());
-            }
-        };
+        let redirect = RedirectUrl::new(redir_url.to_string())?;
 
         (*idc.inner.lock().unwrap()).oidc_client = Some(
             CoreClient::from_provider_metadata(