Skip to content

Error Codes

Caracal packages and services use a shared machine-readable error shape.

{
"error": "invalid_token",
"error_description": "bearer signature invalid",
"requestId": "018f...",
"details": {}
}

details appears only when a service or package provides structured context. The same code can be emitted by different surfaces — an access_denied from STS is a policy decision, while an access_denied surfaced by an in-process verifier is a missing scope on an otherwise valid mandate. Use the requestId with the web console Audit decision trace to confirm which surface produced the error before acting.

The Likely source column names the surface that most often emits the code, and First check is the fastest thing to confirm. When a call fails, start from the surface, not the code.

CodeMeaningLikely sourceFirst check
access_deniedRequest is authenticated but not authorized.STS policy decision, or an in-process verifier scope check.Run request trace: confirm the active policy set allows the application, subject, resource, and scopes.
invalid_tokenToken is missing, malformed, expired, invalid, replayed, or fails verification.Gateway or a resource verifier.Confirm the mandate is unexpired, the verifier trusts the issuing zone JWKS, and the token was not already consumed.
resource_not_foundRequested resource does not exist or is unavailable in the current scope.API, or Gateway binding resolution.Confirm the resource identifier and that a Gateway binding exists for (zone, resource).
internal_errorService failed unexpectedly.Any service.Check service readiness and logs for the requestId.
policy_eval_failedPolicy evaluation failed.STS policy engine.Confirm the active policy set compiles and that required input fields are present.
provider_rate_limitedProvider or provider coordination rate limit denied work.Gateway upstream or provider coordination.Inspect provider limits and retry/backoff; confirm the provider grant is active.
interaction_requiredStep-up challenge is required.STS step-up gate.Complete the step-up flow; see Step-Up Re-Authentication.
sts_unavailableSTS could not satisfy an exchange.STS, or Gateway’s STS circuit.Run caracal status --ready; confirm STS readiness, JWKS, and policy bundle freshness.
credential_expired_not_renewableCredential is too close to expiry or cannot be renewed.STS provider-token refresh.Reconnect the provider grant; confirm OAuth refresh configuration.
payload_too_largeRequest body or token exceeded the configured limit.Gateway or API preflight.Reduce payload size or adjust the configured limit.
zone_invalidZone claim or route zone is invalid.Gateway or STS.Confirm the request targets the correct zone and the mandate carries a matching zone claim.
scope_insufficientRequired scope is missing.A resource verifier, or Gateway.Confirm the resource defines the scope and the active policy authorizes it for this subject.
operation_not_permittedThe Gateway operation is not declared on an enforced resource, or its required scope is absent from the mandate.STS native operation floor, on Gateway-authenticated mandate use.Declare the operation on the resource (operations), or set operation_enforcement to transport_uniform; confirm the mandate carries the operation’s scope.
agent_identity_requiredA verifier requires an agent identity.In-process verifier or MCP transport.Run the call from an agent session, not a bare subject session.
delegation_requiredA verifier requires delegated authority.In-process verifier.Confirm the call carries a delegation edge granting the required scopes.
chain_mismatchDelegation chain does not contain a required application/session.Verifier delegation check.Inspect the delegation edge in the web console; confirm the chain includes the required hop.
hop_count_exceededDelegation hop count exceeds the allowed maximum.Coordinator or verifier.Reduce delegation depth or raise the configured hop limit.
http_request_failedHTTP call failed before a valid response could be used.SDK or Gateway upstream call.Confirm endpoint URL, network reachability, and upstream allowlist.
config_missingRuntime or service configuration is missing.SDK or service startup.Confirm the runtime profile, secret file, and required environment variables.

Transport packages may map these codes into framework-specific HTTP responses.

If you only have an SDK error and not the surface, start from the symptom-first Troubleshoot by Symptom. It routes a denied or failing call to the right surface, the object to inspect, and the diagnostic tool to use.

Use Configuration Keys when an error points to missing runtime, service, or deployment configuration.