Error shape
| Field | Type | Description |
|---|---|---|
error.type | string | Error category |
error.code | string | Machine-readable code (optional) |
error.message | string | Human-readable description |
error.errors | array | Field-level validation details (optional) |
Error codes
| Code | Description |
|---|---|
invalid_credentials | Wrong client_id or client_secret |
insufficient_scope | Token lacks required permission |
api_key_disabled | API credential has been disabled |
auth_rate_limited | Too many failed auth attempts |
rate_limited | API request rate limit exceeded |
validation_failed | Request body or query validation failed |
idempotency_in_progress | Duplicate idempotency key while request is processing |
version_mismatch | API version conflict (reserved for future use) |
HTTP status mapping
| Status | When |
|---|---|
400 | Invalid JSON, validation errors, unsupported API version at auth |
401 | Missing or invalid bearer token, invalid credentials at auth |
403 | Insufficient scope, disabled API credential |
404 | Resource not found |
409 | Idempotency conflict (request in progress) |
429 | Rate limit exceeded |
500 | Internal server error |
Validation errors
When request validation fails, theerrors array contains Zod-style field details:
Response headers on errors
Error responses still includeST-Api-Version when the API version is known from the token or auth flow.
