API reference

The error envelope and status codes

Every API error uses one envelope. A non-2xx response returns {"error":{...}} with a stable type, a machine-readable code, a human message and an optional param. The HTTP status tells you the broad class; the code tells you exactly what went wrong. Branch on code, log the message, and show the user something sensible.

2 min read

error.codeBranch on this
4 classesClient / auth / rate / server
Never HTMLAlways JSON

The envelope

{
  "error": {
    "type": "invalid_request_error",
    "code": "consent_required",
    "message": "fields.consent must equal \"yes\".",
    "param": "fields.consent"
  }
}
FieldTypeNotes
typestringBroad class: invalid_request_error, authentication_error, rate_limit_error, api_error.
codestringSpecific, stable machine code. This is what you branch on.
messagestringHuman-readable. Safe to log; do not parse.
paramstring?The offending field, when the error is about one input.

Status → class

StatustypeMeaningRetry?
400invalid_request_errorMalformed request (bad JSON, wrong shape)No — fix the request
401authentication_errorMissing/invalid credential (partner plane)No — fix auth
403authentication_errorAuthenticated but not permittedNo
404invalid_request_errorResource or route not foundNo
409invalid_request_errorConflict (e.g. idempotency key reuse)No
422invalid_request_errorWell-formed but failed validationNo — fix the field
429rate_limit_errorRate limit exceededYes — after Retry-After
500api_errorUnexpected server errorYes — with backoff
503api_errorTemporarily unavailableYes — with backoff

How to handle

Split errors into three buckets. Fix-the-request (400/404/409/422): never retry blindly — the same request will fail again. Fix-the-auth (401/403): re-check the credential. Retry-able (429/5xx): back off and retry, honouring Retry-After on a 429. Full per-code detail is in the error code catalogue.

Frequently asked questions

Should I branch on the HTTP status or the error code?

Both. Use the status for the broad retry/no-retry decision, and the code for the specific user-facing behaviour. The code is stable; the message wording may be refined over time.

Can an error ever come back as HTML?

API errors are always the JSON envelope. If you ever receive HTML, you have hit an edge/proxy layer (e.g. a WAF or a 502 from infrastructure) rather than the API itself — treat it as a retry-able server error.

Is 422 different from 400?

Yes. 400 means the request was malformed (unparseable JSON, wrong content type). 422 means it parsed fine but a value failed a business rule — the param field points at the culprit.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.