Skip to main content

Overview

Every error response — regardless of endpoint or HTTP status — uses the same JSON envelope. Parse it once and reuse that logic across your integration.

Error envelope

For validation errors, an optional details array is included alongside the fields above:
error.code
string
A stable, namespaced error code in <resource>.<reason> format (for example, chip.not_found). Branch your error-handling logic on this field — it is guaranteed not to change meaning.
error.message
string
A human-readable description of the error. Useful for logging and debugging, but do not parse or match against this string in code — its wording may change without notice.
error.request_id
string
A unique identifier for the request, formatted as req_<uuid>. This matches the X-Request-Id response header. Log it and include it in any support request so Endstate can locate the request in server-side logs.
error.doc_url
string
A URL pointing to the documentation for this error code (the error code reference below).
error.details
array
Present only on validation.failed responses. Each item identifies a specific field and the validation issue that failed.

Best practices

Branch on error.code, not on message or HTTP status.
  • error.code is stable and namespaced. It is the correct signal for programmatic branching.
  • error.message is human-readable prose that may change without notice. Never parse or switch on it.
  • HTTP status codes are a useful coarse signal (see below), but multiple distinct error codes share the same HTTP status. For example, both auth.unauthorized and session_token.invalid_or_expired return 401. Branching on the status alone is not precise enough to handle them differently.
Ignore unknown codes and fields. The API may introduce new error codes and new top-level fields on the error object over time. Write your error handler to treat any unrecognized code as a generic failure rather than throwing on an unexpected value. Log request_id on every error. The request_id field (also available as the X-Request-Id response header) uniquely identifies the server-side execution of that request. Always capture it alongside error details. When you contact support, include this value — it is the fastest way to locate and diagnose the problem.

HTTP status classes

The Endstate API uses standard HTTP status semantics. Branch on the class (the hundreds digit) rather than exact status codes.
Plain HTTP requests receive a 426 Upgrade Required response. HTTPS is required for all API calls.

Error code reference

Authentication

Cross-organization resource access returns 404 rather than 403 to avoid revealing that the resource exists.

Session tokens

Chips

Chip replacements

Units

Claims

Transfers

Collections

Generic and rate limiting

Specific rate limits and quotas are set per organization during onboarding. Treat any 429 as retryable with exponential backoff.

Next steps

Pagination

Learn how to iterate through large result sets with cursor-based pagination.

API reference

Full request and response schemas for every endpoint.