Error envelope
Every error response — on every surface, from validation failures to authorization rejections to server errors — uses the same JSON shape. Write one error handler and it works against the whole API.
{
"code": "string",
"message": "human-readable summary",
"details": {}
}code— a stable, machine-readable identifier you can branch on.message— a human-readable summary, safe to log; not intended for end-user display verbatim.details— optional structured context (e.g. per-field validation errors). Present when there's more to say.
This envelope is documented in OpenAPI as a shared schema and referenced by every endpoint's 4xx/5xx responses, so it shows up consistently in the API reference.
Common status codes
| Status | Meaning |
|---|---|
| 400 | Malformed or invalid payload (see details) |
| 401 | Missing or invalid authentication |
| 403 | Authenticated, but not permitted (role or cross-tenant) |
| 404 | Not found within this tenant |
| 409 | Conflict — e.g. a duplicate or a state that blocks the action |
The canonical
codecatalog is published with the API reference. Until the generated reference lands, treatcodeas stable andmessageas informational.