---
title: "Errors"
category: Get Started
version: 1
stability: stable
deprecated: false
replaced_by: null
last_updated: 2026-05-03
---

# Errors

Valora uses standard HTTP status codes and JSON error responses.

## Common status codes

| Status | Meaning | Recommended handling |
| --- | --- | --- |
| `400 Bad Request` | The request is malformed or unsupported. | Check the endpoint documentation and request shape. |
| `401 Unauthorized` | The token is missing, invalid, expired, or the wrong token type. | Re-authenticate, refresh, or replace the token. |
| `403 Forbidden` | The token is valid but not allowed to access the resource. | Confirm account type, permissions, and environment. |
| `404 Not Found` | The resource was not found, or no records matched filters where documented. | Check identifiers and treat documented empty list responses as no-results states. |
| `422 Unprocessable Entity` | Validation failed. | Read the `errors` object and correct the submitted fields. |
| `429 Too Many Requests` | Rate limit exceeded. | Back off and retry later. |
| `500 Internal Server Error` | Unexpected server error. | Retry later for idempotent requests and contact support if it persists. |
| `503 Service Unavailable` | Temporary unavailability. | Retry with backoff. |

## Validation errors

Validation failures return `422 Unprocessable Entity`.

```json
{
  "message": "The given data was invalid.",
  "errors": {
    "email": [
      "The email field is required."
    ]
  }
}
```

## Authentication errors

Missing or invalid bearer credentials return `401 Unauthorized`.

```json
{
  "message": "Unauthenticated."
}
```

Valid credentials with the wrong account type or insufficient access return `403 Forbidden`.

```json
{
  "message": "Access denied."
}
```

## Operational errors

For `429`, `500`, and `503` responses, clients should avoid immediate tight retry loops. Use exponential backoff with a maximum retry count and log the failed request metadata without logging secrets.