Errors & Limits

Error Codes

Status	Code	Description
400	`BAD_REQUEST`	Invalid request (missing fields, bad JSON)
401	`UNAUTHORIZED`	Missing, invalid, expired, or revoked API key
403	`FORBIDDEN`	No permission for requested table/action, or blocked table
413	`BAD_REQUEST`	Request body too large (max 1MB)
429	`RATE_LIMITED`	Too many requests - check `Retry-After` header
500	`INTERNAL_ERROR`	Server error

Each API key has a configurable rate limit (default: 100 requests per minute). When rate limited, the response includes these headers:

Header	Description
`Retry-After`	Seconds until the rate limit resets
`X-RateLimit-Limit`	Max requests per window
`X-RateLimit-Remaining`	Remaining requests in window

Blocked Tables

These tables are never accessible via external API: site, role, cart, apiKey, webhook, asset.

Sensitive Fields

User records automatically have these fields stripped: password, 2FA secrets, recovery codes, and tokens.

File Upload Fields

Fields of type file and files are read-only via the API. There is no file upload endpoint - use the CMS Manager to upload files.

Status	Code	Description
400	`BAD_REQUEST`	Invalid request (missing fields, bad JSON)
401	`UNAUTHORIZED`	Missing, invalid, expired, or revoked API key
403	`FORBIDDEN`	No permission for requested table/action, or blocked table
413	`BAD_REQUEST`	Request body too large (max 1MB)
429	`RATE_LIMITED`	Too many requests - check `Retry-After` header
500	`INTERNAL_ERROR`	Server error