Skip to main content
The Account API uses standard HTTP status codes and a consistent error shape for failed requests.

401 Unauthorized

Returned when authentication fails or is missing:
  • Missing auth — No api-token header, or header empty.
  • Invalid token — The API key is malformed or not recognized.
  • Expired token — The API key has passed its expires_at.
  • Revoked key — The API key has been deleted (revoked); the API returns 401 with message “Invalid token” (same as invalid or expired).
Fix: Provide a valid, non-expired API key in the api-token header.

403 Forbidden

Returned when the request is authenticated but not allowed:
  • Insufficient permissions — The key does not have a permission required for the operation (e.g. missing account:apikeys:delete when calling DELETE on an API key).
  • IP not allowed — The key has allowed_ips and the request’s client IP is not in that list.
  • Subaccount not allowed — The key has allowed_subaccounts and the request targets a subaccount not in that list.
The response body includes success (false), error, required (array of permissions the endpoint needs), and your_permissions (array of the key’s permissions). Fix: Use a key with the right permissions, call from an allowed IP, or target an allowed subaccount.

Standard error shape

Error responses include an error (or message) field with a short description. For 403 permission denied, the body also includes required and your_permissions. Check the response body for the exact structure.