2xx means success; 4xx means the request
needs to change before retrying; 5xx means a server-side problem.
Status code summary
| Code | Meaning | Retry? |
|---|---|---|
| 200 / 201 | Success | — |
| 400 | Bad Request — invalid parameters or validation failed | After fixing the request |
| 401 | Unauthorized — missing or invalid API key | After fixing the key |
| 403 | Forbidden — key lacks access to this resource | No — wrong key tier or scope |
| 404 | Not Found — resource doesn’t exist or isn’t yours | No |
| 410 | Gone — resource expired (e.g. an upload session) | No — start over |
| 422 | Unprocessable Entity — valid request that can’t be processed | Depends on cause |
| 429 | Too Many Requests — rate limit hit | Yes, after Retry-After |
| 500 | Internal Server Error | Yes, with backoff — contact support if persistent |
Error details
All errors return a JSON body with a human-readablemessage. Shape:
400 — Bad Request
400 — Bad Request
When: A required field is missing, a value is the wrong type, or a JSON array field
(
selectedControlItemIds, selectedControlClusterIds) is malformed.Fix: Check the message for the offending field. Validate the request body against the
endpoint schema in the API Reference before retrying.401 — Unauthorized
401 — Unauthorized
403 — Forbidden (wrong key tier)
403 — Forbidden (wrong key tier)
When: You used the wrong tier of key for the operation. The API uses a two-tier key model:
- Partner Key — onboarding clients, listing companies, browsing controls.
- Company Key — document submission, status polling, results retrieval, company/entity updates.
403.Fix: Use the Company Key returned by POST /v1/onboard for all document operations; use the
Partner Key for onboarding and partner-level listing. See Authentication.404 — Not Found
404 — Not Found
When: The resource ID doesn’t exist, or it belongs to a different company than your key.Fix: Confirm the ID and that you’re using the key for the company that owns the resource.
410 — Gone (expired upload session)
410 — Gone (expired upload session)
When: You uploaded a chunk to an upload session that has expired (sessions last 24 hours).Fix: Start a new session with
POST /v1/documents/upload/start and re-upload. See
Chunked Upload.422 — Unprocessable Entity
422 — Unprocessable Entity
When: The request is well-formed but can’t be processed — e.g. submitting both
businessEntityId and complianceReviewId, or referencing a control that isn’t whitelisted for
your partner.Fix: Read the message; provide exactly one of businessEntityId / complianceReviewId, and
only reference frameworks/controls returned by GET /v1/compliance-frameworks.429 — Too Many Requests
429 — Too Many Requests
When: You exceeded your tier’s request rate or the per-company submission limit.Fix: Back off and retry after the seconds given in the
Retry-After response header. See
Rate Limiting for the per-tier limits.500 — Internal Server Error
500 — Internal Server Error
When: An unexpected server-side error.Fix: Retry with exponential backoff. If it persists, contact support with the request details
and timestamp. See Support.