Skip to main content
PermitCore returns an RFC 9457 application/problem+json body for every non-2xx response:
Branch your error handling on type (a stable URI), not on title or detail (human-readable, may change). status mirrors the HTTP status; instance is the request path; request_id also appears as the x-request-id response header — include it in support requests.

Error catalog

The type URI ends in the slug shown below; each links to a page explaining the error and how to fix it.

401 Unauthorized

Auth is checked before the resource, so a bad key returns invalid-credentials even on an unknown path or jurisdiction.

403 Forbidden

404 Not Found

429 Too Many Requests

When Retry-After is large (multiple hours), the quota has been exhausted for the period. Bring the key up a tier or wait for the period to reset (monthly quotas reset on the first of each month UTC).

5xx Server errors

Retry 5xx on the HTTP status (below) with exponential backoff — don’t branch on the type slug for server errors.

Retry guidance

Retryable status codes: 429 (respect Retry-After), 500, 502, 503, 504. All 4xx codes other than 429 are application errors and should NOT be retried — fix the request and resubmit.
Node.js

Diagnosing in production

  • Every response includes a x-request-id header (UUID). Include it in any support ticket — we can trace per-request.
  • Vercel deploy logs surface [cohort-distribution] <slug>: <error_type> for any caching layer failures.
  • For programmatic monitoring, the future /v1/keys/{prefix}/usage endpoint includes a recent_requests array with per-request status.