Each entry shows the HTTP status the platform returns and the recommended remediation. Anchor links beside every code make it easy to share a specific row in a bug report.
Authentication
Sign-in, identity-provider, and tenant resolution errors.
| Status | Code | What it means + how to fix |
|---|---|---|
| 401 | NOT_PROVISIONED | The caller's email is not provisioned as a workspace user. Fix: Have your workspace administrator invite the email address before signing in. |
| 401 | SSO_NOT_ALLOWED | The workspace is configured for password-only sign-in; SSO is blocked. Fix: Sign in with email and password, or ask an administrator to enable SSO on the workspace. |
| 401 | ACCOUNT_DISABLED | The identity provider has the account marked as disabled. Fix: Have your IT administrator re-enable the account, then retry. |
| 401 | WORKSPACE_INACTIVE | The workspace itself is suspended or cancelled. Fix: Contact your account executive or the workspace owner. |
Multi-factor + step-up
Codes returned when an additional proof of identity is needed.
| Status | Code | What it means + how to fix |
|---|---|---|
| 401 | MFA_REQUIRED | The workspace requires a second factor and the caller hasn't enrolled one yet. Fix: Open /account/security and enrol an authenticator app, hardware key, or passkey. |
| 401 | STEP_UP_REQUIRED | The action needs a fresh proof of MFA. The response carries a `purpose` field that names the ceremony. Fix: Use the step-up modal in the product, or call the matching step-up endpoint and re-issue the request. |
| 401 | STEP_UP_REUSED | The step-up token has already been spent. Fix: Request a fresh step-up token before retrying. |
| 401 | PHISHING_RESISTANT_REQUIRED | The workspace policy requires a phishing-resistant factor (passkey or hardware key) for this action. Fix: Complete the step-up with a passkey or hardware authenticator instead of a TOTP app. |
SCIM provisioning
Codes returned by the SCIM 2.0 user-management API.
| Status | Code | What it means + how to fix |
|---|---|---|
| 400 | INVALID_FILTER | The SCIM filter expression couldn't be parsed. Fix: Check the filter syntax against the SCIM 2.0 specification, then retry. |
| 404 | USER_NOT_FOUND | The SCIM user id doesn't exist. Fix: Resync the source-of-truth before retrying. |
| 400 | MUTABILITY_VIOLATION | A request tried to update a read-only attribute. Fix: Drop the read-only field from the PATCH/PUT body. |
Event webhooks
Codes returned when configuring or delivering webhook events.
| Status | Code | What it means + how to fix |
|---|---|---|
| 503 | CIRCUIT_OPEN | The webhook endpoint has tripped the circuit breaker after consecutive failures. Fix: Fix the receiver, then enable the endpoint to reset the circuit. |
| 400 | SIGNATURE_FAILED | The HMAC signature on a delivery couldn't be verified by your receiver during a test send. Fix: Recompute the signature using the documented HMAC scheme; check the secret has not been rotated. |
Network policy
Codes returned when a request is rejected by the workspace network policy.
| Status | Code | What it means + how to fix |
|---|---|---|
| 403 | IP_BLOCKED | The source IP is denied by the workspace network policy. Fix: Add the IP to the workspace allowlist, or move the request to a permitted network range. |
Attestation policy
Codes returned when a WebAuthn enrolment is blocked by tenant attestation rules.
| Status | Code | What it means + how to fix |
|---|---|---|
| 403 | ATTESTATION_BLOCKED | The authenticator's attestation doesn't match the workspace's allowlist. Fix: Enroll a device whose attestation is permitted by the workspace policy, or ask an administrator to relax the allowlist. |
Generic
Cross-cutting codes used across the platform.
| Status | Code | What it means + how to fix |
|---|---|---|
| 401 | Unauthorized | The caller is not authenticated. Fix: Sign in via the UI or attach a valid bearer token to the request. |
| 403 | Forbidden | The caller is authenticated but lacks permission for this resource. Fix: Have an administrator grant the required role, then retry. |
| 404 | NotFound | The requested resource doesn't exist or is invisible to the caller. Fix: Check the URL or resource id. The response intentionally hides the difference between "doesn't exist" and "hidden by access control". |
| 400 | ValidationError | Request body or parameters failed schema validation. Fix: Fix the offending field listed in the response body, then retry. |
| 429 | RateLimited | Too many requests in the current window. Fix: Honour the Retry-After response header and back off. |