API Reference

Errors

Error envelope, common status codes, and OAuth-specific codes.

Standard error envelope

{
  "statusCode": 404,
  "error": "Not Found",
  "message": "App not found",
  "timestamp": "2026-05-23T16:00:00.000Z",
  "path": "/api/v1/apps/missing"
}

message is always a string for ad-hoc errors and an array of strings for validation errors (from class-validator):

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": [
    "redirect_uris must contain at least 1 element",
    "client_name should not be empty"
  ],
  "timestamp": "...",
  "path": "/oauth/register"
}

Status code catalogue

CodeMeaningWhen
200OKSuccessful read
201CreatedSuccessful write (DCR, etc.)
204No ContentSession bridge, revocation
302FoundOAuth redirects only
400Bad RequestValidation or malformed payload
401UnauthorizedMissing/invalid token
403ForbiddenToken valid but scope/role insufficient
404Not FoundResource doesn't exist or filtered by tenancy
409ConflictIdempotency clash, duplicate write
422UnprocessableSemantic validation (e.g., entitlement mismatch)
429Too Many RequestsRate limit — see Retry-After
500Server ErrorBug, file an issue
503Service UnavailableMaintenance window

OAuth-specific errors

OAuth endpoints (/oauth/*) follow RFC 6749 §5.2 — body is JSON with:

{
  "error": "invalid_grant",
  "error_description": "Authorization code expired or unknown"
}

Possible error values:

  • invalid_request
  • invalid_client
  • invalid_grant
  • unauthorized_client
  • unsupported_grant_type
  • unsupported_response_type
  • invalid_scope
  • invalid_redirect_uri