Error Types
Error status codes at the 400-level will include a type field describing the root cause of the issue. The type of the error can range from incomplete authorization to duplicated data. The type is a URI as defined on Error Responses and RFC 7807 – Problem Details for HTTP APIs
This section documents the various types of errors and how to avoid or fix them.
401 Errors
401 – Unauthorized errors mean that the operation requires authentication to be completed. The application has likely not authenticated or the authentication has expired.
The 401 response header may contain the field WWW-Authenticate that contains a string. This string indicates the additional authentication scheme(s) and parameters applicable to the target resource or operation. This normally occurs if the request requires authentication but no authentication was passed (see additionalAuthenticationRequired in the below table).
| Error Type Name | Meaning | Remediation |
|---|---|---|
unauthorized |
The request lacks valid authentication credentials for the target resource or operation. | Authenticate the user. Pass the required authorization token with the request. |
sessionExpired |
The user’s session has expired. | Re-authenticate the user to get a new access token or other authorization. |
additionalAuthenticationRequired |
Additional authentication, such as multi-factor authentication, required. | Complete the additional factors as per the WWW-Authenticate response header and add an additional Authorization to the call. |
loginIncomplete |
The user is correctly authenticated but additional actions are required for activating their login session. | Instruct the user to complete the additional actions to activate their login session. |
passwordChangeRequired |
The user must change their password. | Instruct the user to change their password or other login credentials. |
invalidCsrfToken |
The CSRF token is invalid. |
The client application is not correctly configured to send a CSRF token. |
403 Errors
403 – Forbidden errors mean that the user and/or the application is not authorized to perform the operation. The application may be authenticated, but not have the entitlement that allows it to perform the operation requested.
| Error Type Name | Meaning | Remediation |
|---|---|---|
forbidden |
The user is not allowed to perform this operation; authentication credentials were provided in the request, but the server considers them insufficient to grant access. | Check the user’s permissions and entitlements before attempting the operation. |
customerDisabled
|
The user’s account is disabled. | Have the user contact the financial institution for account support. |
antiMalwareRequired
|
The financial institution requires the user to have anti-malware software installed. | Have the user install the correct anti-malware software. |
modificationForbidden
|
The user is properly authenticated but not authorized to create, modify, or delete resources. | Avoid modification operations for users with read-only authorization. |
Additional Error Types
The API can return many other errors and error causes which are documented in the full API reference.