Error Response Status Codes
Tyk Gateway responses include HTTP status codes that follow the HTTP status code standard. They have three digits that describe the result of the request and the semantics of the response. The first digit defines the class of response as shown in the list below:
- 1xx (Informational): The request was received, continuing process
- 2xx (Successful): The request was successfully received, understood, and accepted
- 3xx (Redirection): Further action needs to be taken in order to complete the request
- 4xx (Client Error): The request contains bad syntax or cannot be fulfilled
- 5xx (Server Error): The server failed to fulfill an apparently valid request
Tyk Gateway error status code
Here we provide a list of all the error status codes (4xx and 5xx) that may be returned by the Tyk Gateway along with their corresponding messages and some guidance on the likely cause of the error. Tyk supports error templating, allowing you to configure the Gateway to return customised messages for certain HTTP error codes.
We also support limited customisation of the error codes and messages returned by custom authentication middleware through the use of override messages.
Code | Text | Recommended action |
---|---|---|
400 | Access to this API has been disallowed | Check if the key has access to the right API version or definition. Check if the authentication key used is still valid. Check if the certificate used for authentication is present. Check if the authentication key is created and present in the database. You can use Gateway Keys APIs for confirmation. Check if API definition is using JWT auth and if auth header key and or value is empty or missing. |
400 | API is not OAuth2 | Check if OAuth2 is integrated into the API by auth tokens or using Tyk OAuth flow. |
400 | Attempted access with malformed header | Values not in basic auth format or auth data not encoded correctly. |
400 | Authorization Field Missing | Check if the authorization field is missing. Check if the OAuth authorization field is missing. |
400 | Batch request creation failed, request structure malformed | Attempted to construct unsafe requests. Check if request structure is in correct format. |
400 | Batch request malformed | Attempted to decode request but failed. Check if request structure is in correct format. |
400 | Bearer token malformed | Check if the OAuth authorization field is malformed. |
400 | Body do not contain password or username | Check if body contains both password and username. If not, then insert the correct login credentials. |
400 | Cannot parse form. Form malformed | Attempted to revoke token but could not parse the request form. Check if the request form is malformed. |
400 | Content length is not a valid Integer | Check the value provided in the Content-Length field in the header. |
400 | Couldn’t decode instruction | Attempted to decode policy record from an update request. Check if the request body is malformed and is valid. |
400 | Couldn’t decode OAS object | Attempted to import OAS Tyk API but failed to retrieve object from request. Check if request body is valid. |
400 | Error API not migrated | The supplied API definition is in OAS format. Please use the Tyk native format for this API. |
400 | Failed to create key, keys must have at least one Access Rights record set | Attempted to create a key with master keys disabled in configurations. |
400 | Failed to remove the key | Failed to delete requested key. Make sure orgID and keyname are correct. |
400 | Health checks are not enabled for this node | Enable health checks for the gateway. |
400 | Key not authorized | Check if OAuth key is present. Check if the OAuth client is not deleted. Check if there is a valid policy associated with the key/token used. Check if the policy associated with the key is not expired or if the owner is valid. Check if JWT default policies exist. |
400 | Key cannot be used without a certificate | Check if key contains a certificate. If not, add a certificate to the key. |
400 | Key must be used with an existent certificate | Check if the certificate on the key exist within the system. |
400 | Missing parameter api_id | Check if API_ID is missing. If so, fill in the api_ID field with the correct value. |
400 | OAuth client doesn’t exist | Check if API_ID is missing. If so, fill in the api_ID field with the correct value. |
400 | OAuth client ID is empty | Check if OAuth client ID field is empty. If so, fill in with the correct client ID value. |
400 | OAuth is not enabled for this API | Check if OAuth is enabled for the API. |
400 | Policy access rights doesn’t contain API this OAuth client belongs to | Check if the policy rights contains the proper api_ID for the API. |
400 | Request apiID does not match that in Definition! For Update operations these must match | Attempted a PUT operation using different api_ID’s. Make sure the api_ID’s are the same. |
400 | Request field is missing | Check if the request field is missing. If so, fill in the request field. |
400 | Request ID does not match that in policy! For Update operations these must match | Attempted a PUT operation using different policy ID’s. Make sure both policy ID’s are the same. |
400 | Request is too large | The request body exceeds the configured size limit for the API endpoint. |
400 | Request with empty authorization header | Fill in authorization header for the request. |
400 | Spec field is missing | Attempted to trace a request but spec field is missing. Fill in the spec field. |
400 | The provided request is empty | Check if request in the GraphQL playground is correct. |
401 | Authorization Field Missing | Check if the authorization field is missing. Check if the OAuth authorization field is missing. |
401 | Header missing | Check if header field exist when making request. |
401 | Key has expired, please renew | Current key has expired. Please request for a new key. |
401 | OAuth Client Id Empty | Fill in the Client ID field. |
401 | OAuth Client Secret Empty | Client secret is empty. Insert the required client secret. |
401 | Request signature verification failed | Possible empty signature header or validation failed. |
401 | Wrong Password | Enter the correct password. Contact an administrator if further help is needed. |
403 | Access to this API has been disallowed | Request access to the API from an administrator. |
403 | Access to this resource has been disallowed | Request access to the resource from an administrator. |
403 | Attempted access with non-existent cert | Check if authentication certificate exist. |
403 | Attempted administrative access with invalid or missing key! | Check if there is correct security credentials of the Tyk API. |
403 | Certificate with SHA256 $certID not allowed | Certificate ID is nil or invalid. Please have a valid certificate. |
403 | Client authorize request in with invalid redirect URI | Check if Auth Redirect URI is malformed or use a valid redirect URI. |
403 | Client TLS certificate is required | Check if theres multiple APIs on the same domain with no certificates. |
403 | Depth limit exceeded | Exceeded the depth limit that has been applied. Check the key/policy global limits and quota section or the API limits and quota section. |
403 | Empty Signature Header | Fill in a signature for auth keys. |
403 | Empty Signature Path | Check if path for signature is empty. |
403 | Failed with 403 after $x-amount of requests over quota | Process request off thread with quota or process request live with rate limit or process request off thread with rate limit. |
403 | Found an empty user ID in predefined base field claim user_id | Request with valid JWT/RSA or signature/empty user_id/sub claim, or signature/no base field or no sub or no id claim. |
403 | GraphQL Depth Limit Exceeded | Exceeded the depth limit that has been applied. Check the key/policy global limits and quota section or the API limits and quota section. |
403 | Invalid Token | Check if JWT token is valid and not malformed. |
403 | Invalid Signature Header | Insert correct signature header value. |
403 | Invalid Signature Path | Make sure signature path is correct and valid. |
403 | Key is not active, please renew | Create a new key. |
403 | Key not authorised: Unexpected signing method | Invalid JWT signature, JWT access with non-existent key. |
403 | Key not authorised: OAuth client access was revoked | Check if OAuth client exists. |
403 | Key not authorised: no matching policy | Request with invalid policy in JWT, or checking session and identity for valid key for openID. |
403 | No matching policy found in scope claim | Check if scope is wrong for JWT request. |
403 | Quota Exceeded | Quota limit has been exceeded. Check quota limit settings. |
403 | Run Go-plugin auth failed | Used an invalid token for authentication. Please use a valid token to authenticate. |
403 | This API version does not seem to exist | Attempted to extract version data from a request. Version does not exist when loading version data. |
403 | This organisation access has been disabled, please contact your API administrator | Organisation session is inactive. Contact API administrator. |
403 | This organisation quota has been exceeded, please contact your API administrator | Organisation’s quota limit has been exceeded. Contact API administrator. |
403 | This organisation rate limit has been exceeded, please contact your API administrator | Organisation’s rate limit has been exceeded. Contact API administrator. |
403 | TLS: bad certificate | Check if the certificates exist and have valid ID’s. |
403 | Version Information not found | Checking version data from request. No default version has been set or found. |
404 | API doesn’t exist | Checking if API exists when rotating OauthClient or if ApiSpec value is nil. |
404 | API for this refresh token not found | When invalidating OAuth refresh or if ApiSpec value is nil. |
404 | API ID not found | Check if API ID exists in the Gateway. |
404 | API not found | Check if API exists. |
404 | Bundle not found | No bundles found within the Gateway. |
404 | Certificate with given SHA256 fingerprint not found | No certificates exist in the certificate manager list. |
404 | Couldn’t find organisation session in active API list | Attempted to update session object. However, spec for organisation is nil. Make sure to have the correct organisation ID. |
404 | Error getting oauth client | See if OAuth client id exists in the system. |
404 | Key not found | Failed to update hashed key. |
404 | No such organisation found in Active API list | Make sure organisation ID is correct. |
404 | OAuth client doesn’t exist | Attempted to retrieve APIs for OAuth or client ID. Client ID was not found |
404 | OAuth client ID not found | Check if OAuth client ID exist in storage. Check if OAuth tokens or client details are valid. Failed to retrieve OAuth client list. Failed to revoke OAuth client list. |
404 | Org not found | Could not retrieve record of org ID or failed to delete org keys. Spec for org is nil, make sure orgID value is correct |
404 | Policy not found | Could not retrieve policy data. Make sure policy ID is correct. |
404 | There is no such key found | Check if key is already deleted. Check if hashed key has been deleted already. |
404 | Version Does Not Exist | Check if version path is filled and correct. |
405 | Malformed request body | Attempted a POST request with a malformed request body. Make sure the request body is valid. |
405 | Method not supported | Attempting to add a method that is not supported by our system. |
411 | Content length is required for this request | You need to provide the Content-Length field in the request header. |
429 | API Rate Limit Exceeded | Check the rate of the requests on the API level. Check the rate of requests on the API key (Auth token, certs, etc). |
499 | Client closed request | Check if the client closed the TCP connection |
500 | Cache invalidation failed | Attempted to scan or delete the cache, which failed, causing cache invalidation to fail. |
500 | Can’t detect loop target | Verify target API exsists. Check if URL scheme is “tyk://”. Refer to 404 errors |
500 | Could not write key data | Failed to update hashed key. Make sure key name is valid. |
500 | Delete failed | Attempted to delete policy with invalid filename. Attempted to delete API with invalid filename. Attempted to delete OAuth Client with incorrect OAuth client ID. |
500 | Due to enabled service policy source, please use the Dashboard API | Attempted to add/update a policy and rejected due to Policysource=service. Please use the Dashboard API. |
500 | Due to enabled use_dp_app_configs, please use Dashboard API | When trying to import OAS, when Dashboard config is set to true. Please use Dashboard API. |
500 | Error writing to key store | Attempted to update session with a new session. Make sure orgID is correct. |
500 | Failed to create file | When add/update policy, failed to create a file. Make sure the policy file path is correct |
500 | Failed to create key | Check if key already exist or if the key exists with a given certificate. Ensure security settings are correct |
500 | Failure in storing client data | Attempted to store data when creating a new OAuth client but failed. Make sure the storageID, or orgID is correct and valid. |
500 | Get client tokens failed | Failed to retrieve OAuth tokens. Make sure client ID is valid or keyName is valid. |
500 | Marshalling failed | Attempted to import printDef but failed. Marshalling of policy failed. Unmarshal object into the file failed when writing to file. |
500 | There was a problem proxying the request | Check if the target URL is unavailable to the Gateway. |
500 | Unmarshalling failed | Key creation failed. Failed to create OAuth client. Failed to update OAuth client. |
500 | Unsupported schema, unable to validate | Check if GraphQL schema is valid. |
500 | Upstreaming host lookup failed | Check if the target URL is not resolvable in DNS. |
503 | Service temporarily unavailable | Check if a circuit breaker middleware is enforced. |
503 | All hosts are down | Attempted to reverse proxy a URL rewrite to a scheme and host, but all the hosts in hostlist are down. |
504 | Upstream service reached hard timeout | Timeout awaiting response headers during a request round trip. |
507 | Status Insufficient Storage | Attempted to update an API through a POST request but failed to due insufficient storage. |