diff --git a/client.go b/client.go
index b5285d3..885700c 100644
--- a/client.go
+++ b/client.go
@@ -79,11 +79,8 @@ func (e *APIError) Unwrap() error {
 	return e.e
 }
 
-type InvalidCredentialsError struct{}
-
-func (e InvalidCredentialsError) Error() string {
-	return "invalid credentials"
-}
+var ErrInvalidCredentials = fmt.Errorf("invalid credentials")
+var ErrInvalidCode = fmt.Errorf("invalid enrollment code")
 
 type EnrollMeta struct {
 	OrganizationID   string
@@ -163,6 +160,13 @@ func (c *Client) Enroll(ctx context.Context, logger logrus.FieldLogger, code str
 		return nil, nil, nil, nil, &APIError{e: fmt.Errorf("error decoding JSON response: %s\nbody: %s", err, b), ReqID: reqID}
 	}
 
+	// Check for *only* an "invalid code" error returned by the API
+	if len(r.Errors) == 1 {
+		if err := r.Errors[0]; err.Path == "code" && err.Code == "ERR_INVALID_VALUE" {
+			return nil, nil, nil, nil, &APIError{e: ErrInvalidCode, ReqID: reqID}
+		}
+	}
+
 	// Check for any errors returned by the API
 	if err := r.Errors.ToError(); err != nil {
 		return nil, nil, nil, nil, &APIError{e: fmt.Errorf("unexpected error during enrollment: %v", err), ReqID: reqID}
@@ -404,7 +408,7 @@ func (c *Client) streamingPostDNClient(ctx context.Context, reqType string, valu
 		case http.StatusOK:
 			sc.respBytes = respBody
 		case http.StatusUnauthorized:
-			sc.err.Store(InvalidCredentialsError{})
+			sc.err.Store(ErrInvalidCredentials)
 		default:
 			var errors struct {
 				Errors message.APIErrors
@@ -451,7 +455,7 @@ func (c *Client) postDNClient(ctx context.Context, reqType string, value []byte,
 	case http.StatusOK:
 		return respBody, nil
 	case http.StatusUnauthorized:
-		return nil, InvalidCredentialsError{}
+		return nil, ErrInvalidCredentials
 	default:
 		var errors struct {
 			Errors message.APIErrors
diff --git a/client_test.go b/client_test.go
index 6be7a92..3b58824 100644
--- a/client_test.go
+++ b/client_test.go
@@ -237,8 +237,7 @@ func TestDoUpdate(t *testing.T) {
 	defer cancel()
 	_, err = c.CheckForUpdate(ctx, invalidCreds)
 	assert.Error(t, err)
-	invalidCredsErrorType := InvalidCredentialsError{}
-	assert.ErrorAs(t, err, &invalidCredsErrorType)
+	assert.ErrorIs(t, err, ErrInvalidCredentials)
 	serverErrs := ts.Errors() // This consumes/resets the server errors
 	require.Len(t, serverErrs, 1)
 
@@ -427,8 +426,7 @@ func TestDoUpdate_P256(t *testing.T) {
 	defer cancel()
 	_, err = c.CheckForUpdate(ctx, invalidCreds)
 	assert.Error(t, err)
-	invalidCredsErrorType := InvalidCredentialsError{}
-	assert.ErrorAs(t, err, &invalidCredsErrorType)
+	assert.ErrorIs(t, err, ErrInvalidCredentials)
 	serverErrs := ts.Errors() // This consumes/resets the server errors
 	require.Len(t, serverErrs, 1)