Status Codes

The AuthRocket APIs use standard HTTP response codes to indicate whether an API request succeeded or failed.

To maximize browser compatibility, the LoginRocket API will almost always return one of: 200, 302, or 404.

Status: 200
Request succeeded; payload is included.

Status: 201
Request to create a resource succeeded; payload is included.

Status: 202
Request accepted, but not completed and may or may not succeed.

Status may need to be verified at a later time.

Status: 204
Request succeeded; no payload.

Status: 302, 303, 307
Redirect to another location. Clients should be prepared to follow a limited number of redirects.

Status: 400
Bad request; generally a missing parameter or malformed request.

Status: 401
An AuthRocket /authenticate or /authenticate_key API method failed to authenticate. This indicates the API call succeeded, but that the API call result is “failed to authenticate”. Your API credentials were fine (or you would have received a 403).

Status: 402
AuthRocket subscription is not active or otherwise needs attention. Login to the management portal.

Status: 403
API authentication failed. This can be because authentication credentials were missing, incomplete, incorrect, or lack sufficient permission to perform the current request.

Status: 404
Resource not found or not accessible to the current user. The latter case means that you may receive a 404 instead of a 403 in certain instances.

Status: 405
Method not allowed. Resource URI is recognized, but the HTTP verb sent is not valid for it. For example, sending a POST when only a PUT is allowed for that URI. Can also be an invalid HTTP verb, such as POSST.

Status: 406
Request not acceptable. Returned if requesting an unavailable document content type. Ensure that a proper Accept: header is being sent.

Status: 409
There was a conflict when attempting to update the resource. Most often this is a failed attempt to delete a resource that is in a state that prevents it from being deleted at this time. Should return a validation error like 422.

Status: 414
Returned when the request URL is too long.

This is most likely when querying a session using a very long JWT token. In this case, extract the session ID from the token (tk attribute) and use the ID for the request instead of the whole token.

Status: 415
Returned if submitting data using an unrecognized content-type (currently anything other than JSON or standard URL encoded form data).

Status: 422
Validation error. Can be returned for POST, PUT, and DELETE operations.

{ "message" : "Validation failed",
  "errors" : {
    "username" : ["Username can't be blank"]
  }
}

Status: 429
Rate-limiting thresholds have been exceeded. HTTP headers containing the current rate limiting status are included with 429 and 2xx responses.

X-RateLimit-Limit: 1234
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1388534400

X-RateLimit-Reset is a Unix epoch time when this request should be allowed again.

We have two categories of rate limits:

  • General - Apply to most API calls. Automatically adjusted based on plan.
  • Authentication - One of our security mechanisms to prevent brute force and other attacks. These shouldn’t be hit in normal use, but may be accidentally triggered by rapidly testing authentication related API calls during development.

Status: 500, 502
An error happened on AuthRocket’s side. Wait a few minutes and try again. Also ensure your request is properly formed.

Status: 503, 504
Service unavailable. This may be in response to heavy load, to exceeding rate-limiting thresholds, or server errors. Wait a few minutes and try again. Exponential backoff is recommended where possible.

Additional Notes

Clients must read the actual HTTP status header (and other headers as appropriate) prior to attempting to interpret the JSON body payload. Payloads for errors (4xx, 5xx) are intended to be informative, but may change.

Questions? Find a Typo? Get in touch.