The Partner API uses standard HTTP status codes. 2xx means success; 4xx means the request needs to change before retrying; 5xx means a server-side problem.

Status code summary

CodeMeaningRetry?
200 / 201Success
400Bad Request — invalid parameters or validation failedAfter fixing the request
401Unauthorized — missing or invalid API keyAfter fixing the key
403Forbidden — key lacks access to this resourceNo — wrong key tier or scope
404Not Found — resource doesn’t exist or isn’t yoursNo
410Gone — resource expired (e.g. an upload session)No — start over
422Unprocessable Entity — valid request that can’t be processedDepends on cause
429Too Many Requests — rate limit hitYes, after Retry-After
500Internal Server ErrorYes, with backoff — contact support if persistent

Error details

All errors return a JSON body with a human-readable message. Shape:
{
  "error": "Bad Request",
  "message": "legalName is required.",
  "statusCode": 400
}
When: A required field is missing, a value is the wrong type, or a JSON array field (selectedControlItemIds, selectedControlClusterIds) is malformed.Fix: Check the message for the offending field. Validate the request body against the endpoint schema in the API Reference before retrying.
When: The X-API-Key header is missing, empty, or not a recognized key.Fix: Send a valid key in the X-API-Key header. Every endpoint except /health requires it.
When: You used the wrong tier of key for the operation. The API uses a two-tier key model:
  • Partner Key — onboarding clients, listing companies, browsing controls.
  • Company Key — document submission, status polling, results retrieval, company/entity updates.
Using a Partner Key for a company-scoped operation (or vice versa) returns 403.Fix: Use the Company Key returned by POST /v1/onboard for all document operations; use the Partner Key for onboarding and partner-level listing. See Authentication.
When: The resource ID doesn’t exist, or it belongs to a different company than your key.Fix: Confirm the ID and that you’re using the key for the company that owns the resource.
When: You uploaded a chunk to an upload session that has expired (sessions last 24 hours).Fix: Start a new session with POST /v1/documents/upload/start and re-upload. See Chunked Upload.
When: The request is well-formed but can’t be processed — e.g. submitting both businessEntityId and complianceReviewId, or referencing a control that isn’t whitelisted for your partner.Fix: Read the message; provide exactly one of businessEntityId / complianceReviewId, and only reference frameworks/controls returned by GET /v1/compliance-frameworks.
When: You exceeded your tier’s request rate or the per-company submission limit.Fix: Back off and retry after the seconds given in the Retry-After response header. See Rate Limiting for the per-tier limits.
When: An unexpected server-side error.Fix: Retry with exponential backoff. If it persists, contact support with the request details and timestamp. See Support.